LNCS 6477 




Advances in Cryptology - 
ASIACRYPT 2010 


16th International Conference on the Theory 

and Application of Cryptology and Information Security 

Singapore, December 2010, Proceedings 


Lecture Notes in Computer Science 

Commenced Publication in 1973 
Founding and Former Series Editors: 

Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen 


Editorial Board 

David Hutchison 

Lancaster University, UK 
Takeo Kanade 

Carnegie Mellon University, Pittsburgh, PA, USA 
Josef Kittler 

University of Surrey, Guildford, UK 
Jon M. Kleinberg 

Cornell University, Ithaca, NY, USA 
Alfred Kobsa 

University of California, Irvine, CA, USA 
Friedemann Mattern 

ETH Zurich, Switzerland 
John C. Mitchell 

Stanford University, CA, USA 
Moni Naor 

Weizmann Institute of Science, Rehovot, Israel 
Oscar Nierstrasz 

University of Bern, Switzerland 
C. Pandu Rangan 

Indian Institute of Technology, Madras, India 
Bernhard Steffen 

TU Dortmund University, Germany 
Madhu Sudan 

Microsoft Research, Cambridge, MA, USA 
Demetri Terzopoulos 

University of California, Los Angeles, CA, USA 
Doug Tygar 

University of California, Berkeley, CA, USA 
Gerhard Weikum 

Max Planck Institute for Informatics, Saarbruecken, Germany 


6477 



Masayuki Abe (Ed.) 


Advances in Cryptology - 
ASIACRYPT 2010 


16th International Conference on the Theory 

and Application of Cryptology and Information Security 

Singapore, December 5-9, 2010 

Proceedings 


4^ Springer 



Volume Editor 


Masayuki Abe 

3-9-11 Midori-cho, Musashino-shi, Tokyo 180-8585, Japan 
E-mail: abe.masayuki@lab.ntt.co.jp 


Library of Congress Control Number: 2010939472 

CR Subject Classification (1998): E.3, D.4.6, F.2, K.6.5, G.2, 1.1, J.l 
LNCS Sublibrary: SL 4 - Security and Cryptology 
ISSN 0302-9743 

ISBN-10 3-642-17372-1 Springer Berlin Heidelberg New York 

ISBN-13 978-3-642-17372-1 Springer Berlin Heidelberg New York 


This work is subject to copyright. All rights are reserved, whether the whole or part of the material is 
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, 
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication 
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, 
in its current version, and permission for use must always be obtained from Springer. Violations are liable 
to prosecution under the German Copyright Law. 
springer.com 

© International Association for Cryptologic Research 2010 
Printed in Germany 

Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India 
Printed on acid-free paper 06/3 1 80 



Preface 


ASIACRYPT 2010 was held in the Swissotel Merchant Court in Singapore, dur- 
ing December 5-9, 2010. The conference was sponsored by the International 
Association for Cryptologic Research (IACR) in cooperation with the Coding 
and Cryptography Research Group of Nanyang Technological University. It was 
also supported by the Singapore Tourism Board, and co-sponsored by the Na- 
tional Research Foundation of Singapore, Lee Foundation, IBM Singapore Ltd., 
O’Connor’s Singapore Ltd., Puffersoft Ltd., Privylink Ltd., Hewlett-Packard Sin- 
gapore Ltd., Jardine OneSolution Ltd., and Singapore Mathematical Society. San 
Ling chaired the conference and I served as the Program Chair. 

There were 216 valid submissions. The Program Committee aided by 221 
external reviewers spent 83 days on reviews and discussions. They spared no 
effort to increase the quality of their reviews. Every paper received at least 
three independent reviews, and papers from the committee members received 
five reviews. In total, there were more than 730 reviews followed by intensive 
discussion. This long and tough process, wrapped up with an intensive face-to- 
face meeting by the committee members convened at UC Santa Barbara, yielded 
35 accepted papers. I regret not being able to select more of such high-quality 
papers due to space limitations. The proceedings include the revised versions of 
the accepted papers. The authors are fully responsible for their contents. 

The best paper award was given to “Rotational Rebound Attacks on Reduced 
Skein” by Dmitry Khovratovich, Ivica Nikolic, and Christian Rechberger. There 
were a further two best papers, “Improved Single-Key Attacks on 8-Round AES- 
192 and AES-256” by Orr Dunkelman, Nathan Keller, and Adi Shamir, and “Ef- 
ficient Public-Key Cryptography in the Presence of Key Leakage” by Yevgeniy 
Dodis, Kristiyan Haralambiev, Adriana Lopez- Alt, and Daniel Wichs, that were 
solicited for full version submission to the Journal of Cryptology. The conference 
program included two invited talks: “Cryptography, from Theory to Practice: A 
Personal Perspective” by Hugo Krawczyk, and “Cryptographic Hash Functions 
and the SHA-3 Competition” by Bart Preneel. 

There are many people I would like to acknowledge but only a few can be 
listed here. First I would like to thank all the authors of the submitted papers. 
I am deeply grateful to all the members of the Program Committee for their 
expertise and enthusiasm that brought success to a difficult project. I also want 
to express appreciation to the external reviewers listed in the following pages. 
Special thanks to Shai Halevi for providing and setting up the splendid review 
software, and Huaxiong Wang and his staff at Nanyang Technological Univer- 
sity, who helped me to manage the review process in many ways. Finally, I 
am indebted to Kaoru Kurosawa, Mitsuru Matsui, Nigel Smart, and Tatsuaki 
Okamoto, who gave me invaluable advice as Chairs of past IACR conferences. 


September 2010 


Masayuki Abe 
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Abstract. In this paper we combine a recent rotational cryptanaly- 
sis with the rebound attack, which results in the best cryptanalysis of 
Skein, a candidate for the SHA-3 competition. The rebound attack ap- 
proach was so far only applied to AES-like constructions. For the first 
time, we show that this approach can also be applied to very different 
constructions. In more detail, we develop a number of techniques that 
extend the reach of both the inbound and the outbound phase, leading 
to cryptanalytic results on an estimated 53/57 out of the 72 rounds of 
the Skein-256/512 compression function and the Threefish cipher. 

The new techniques include an analytical search for optimal input val- 
ues in the rotational cryptanalysis, which allows to extend the outbound 
phase of the attack with a precomputation phase, an approach never 
used in any rebound-style attack before. Further we show how to com- 
bine multiple inside-out computations and neutral bits in the inbound 
phase of the rebound attack, and give well-defined rotational distinguish- 
es as certificates of weaknesses for the compression functions and block 
ciphers. 

Keywords: Skein, hash function, rotational cryptanalysis, rebound at- 
tack, distinguisher. 


1 Introduction 

Rotational cryptanalysis and the rebound attack proved to be very effective 
in the analysis of SHA-3 candidates and related primitives. Rotational crypt- 
analysis succeeded in the analysis of Addition-Rotation-XOR primitives (ARX), 
particularly in reduced variants of Threefish PJ|, Shabal P, BMW fTTT Re- 
bound attack, first presented in eg. is mostly aimed at byte-oriented primitives 
with a SPN structure. It gives the best attacks so far on reduced variants of the 
SHA-3 candidates Grpstl and ECHO |1 fill H| . LANE |M| . Cheetah j22j and the 
hash function Whirlpool m among others. 

In this paper we introduce the combination of these two attacks with the appli- 
cation to the Skein compression function. We start with a number of preliminaries 
in Section |3 Our attacks will be based on methods to show non-random proper- 
ties. For this we need definitions and bounds for distinguishers, which we give in 

M. Abe (Ed.): ASIACRYPT 2010, LNCS 6477, pp. l |-19] 2010. 
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Sectional There we introduce the rotational collision set property for n-bit com- 
pression functions and ideal ciphers, and demonstrate a lower bound about q ■ 2 n 
for the complexity of finding such set of size q in the black-box approach. 

Then we proceed to the analysis of Skein and Threefish. We provide a much more 
careful and precise estimation of rotational probabilities compared to m- We rep- 
resent the propagation of the rotational property analytically, and derive necessary 
conditions on the key bits to enlarge the rotational probability. We also correct Dm 
in terms of the independence assumptions, and find the best values of key bits with 
optimized search. Although we attack the tweaked version of Threefish 0 , we stress 
that our attack is well applicable to the first version, and even benefits from more 
from the better diffusion the tweaked rotation constants provide. 

This analysis gives us a simple rotational distinguisher for Threefish on up to 
44 rounds. We advance even further and show how to put the rotational property 
into the outbound phase of the recent powerful rebound attack. The inner part 
of the rebound attack, the inbound phase, is accelerated with the method of the 
auxiliary path j^j and neutral bits 0 ■ In contrast to the first attacks on Skein, 
where auxiliary paths were used in the differential attacks, we show how to involve 
them into the rotational attack. As a result, we get a rotational distinguisher for 
the reduced Skein compression function. We attack 53 rounds of Skein-256 and 57 
rounds of Skein-512 (Section 0J. 

Our results demonstrate substantial weaknesses both in the reduced Threefish 
cipher and the Skein compression function. The designers of Skein do not directly 
address the security of these primitives in the model that we consider, although 
the security of Threefish against all “standard attacks” is claimed. Also, our 
attacks show that the reduced Threefish does not behave as an ideal cipher, 
which is essential for the Skein security proofs. Had Skein have the reduced 
Threefish inside, the indifferentiability from the random oracle property of the 
Skein hash would be violated. 

2 Preliminaries 

2.1 Description of Skein 

Skein is a family of hash functions, based on the block cipher Threefish of which 
the following versions are relevant for the SHA-3 proposal: Threefish-256 — 256- 
bit block cipher with 256-bit key and Threefish-512 — 512-bit block and key. 
Both the internal state I and the key K consist of N w (N w = 4,8 for Threefish- 
256, -512, respectively) 64-bit words. The N w words of the s-th subkey K s are 
defined as follows: 

Kj = K(s+j) mod (jv m +i)) 0 < j < N w — 4; 

K N w - 3 = K (s+N m - 3) mod (2V„ + 1) + t s mod 3! 

Kn w - 2 = K{s+N w - 2) mod (JV„+1) + *(s+ 1) mod 3! 

Kn w - 1 = K(s+N m - 1) mod (2V„+1) + s > 

where s is a round counter, to and ti are tweak words, and 
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Table 1 . Summary of the attacks on Skein and Threefish 


Rounds 

Attack 

Method 

| Reference 

Skein/Threefish-256 (72 rounds) 

24* 

Key recovery 

Related-key differential 

m 

39 

Key recovery 

Related-key rotational 

Ena 

53 

Distinguisher 

Rotational rebound 

Section 0 

Skein/Threefish-512 (72 rounds) 

25* 

Key recovery 

Related-key differential 

□ 

33* 

Key recovery 

Related-key boomerang 

□ 

35* 

Key recovery 

Known-related-key distinguisher 

□ 

42 

Distinguisher 

Related-key rotational 

m 

57 

Distinguisher 

Rotational rebound 

Section 0 


* — the attack was designed for the untweaked version. 


N w -1 

<2 = to + 1\ , Kn w = |_2 64 /3J ® Kj. 

j=0 

The formal description of internal rounds is as follows. Let N r be the number of 
rounds (N r = 72 for Threefish-256,-512). Then for every 1 < d < N r 

— If d mod 4=1 add a subkey by setting Ij <— Ij + K'^ 4 : 

— For 0 < j < N w / 2 set {h h h j+ i) <- MIX((/ 2i ,/ 2i+ i)); 

— Apply the permutation tt on the state words. 

At the end, a subkey K Nr ^ 4 is added. The operation MIX has two inputs xo, x,\ 
and produces two outputs yo,Vi with the following transformation: 

yo = x 0 + xi 

yi = (zi mod 8)+lt ^} © yo 

The exact values of the rotation constants Rij as well the permutations n (which 
are different for each version of Threefish) can be found in jjj . We note that the 
rotation constants were changed in the Skein tweak jSj, and we attack the new 
version although a similar analysis is applicable to the old version as well. 

The compression function F(Ui_i,Mj) of Skein is defined as: 

= E Hi _ uTi { M i) © M h 

where Ek,t(P ) is the Threefish cipher, ffj_i is the previous chaining value, Tj 
is the tweak, and Mj is the message block. 

The best known analysis of Skein is rotational distinguishers on the underlying 
Threefish cipher m, which attack 39 rounds of Skein-256 and 42 rounds of 
Skein-512 (see Table [TJ . 


D. Khovratovich, I. Nikolic, and C. Rechberger 


2.2 Rotational Cryptanalysis 

The main idea of the rotational cryptanalysis is to consider a pair of words 
where one is a rotation of the other. The ( X , X ) is called a rotational pair [with 
a rotation amount r], where X the rotation of X by r bits to the left. A rotational 
pair is preserved by any bitwise transformation, particularly by the bitwise XOR 
and by any rotation. The probability that the rotational pair comes out of the 
addition is given by the following formula jS| 

p (® + y = ^ + V) = j( 1 + 2 r-n + 2- r + 2 _ "). 

For large n and small r we get the following table: 


r 

Pr 

!og 2 (Pr) 

1 

0.375 

-1.415 

2 

0.313 

-1.676 

3 

0.281 

-1.831 


For r = nj 2 the probability is close to 1/4. The same holds for rotations to the 
right. When an addition of rotational inputs does not produce rotational outputs 
then we say that the addition produced a rotational error. 

The use of constants can violate the rotational property. Yet, if the constants 
are rot ational as well, then the property is preserved, i.e. if C = C then X®C = 
XQC. 

Rotational analysis deals with constants by introducing rotational corrections 
in pairs of inputs: 

(A,X modified ). 

Then the rotational path is constructed so that the pre-fixed corrections and the 
errors from the failed modular addition compensate the errors from the use of 
constants. 

We stress that in order to apply the rotational attack for the full scheme, all 
its inputs must be rotational pairs [with corrections]. 

2.3 Rebound Attack 

The rebound attack jl 311 til was described as a variant of differential cryptanalysis 
optimized to the cryptanalysis of hash functions, and at the same time can be 
seen as a high-level model for hash function cryptanalysis. So far it was mainly 
applied to AES-like constructions because of the simple way useful truncated 
differential characteristics can be found in them for a number of rounds. 

The rebound attack is aimed to construct solutions for the most expensive 
part of a truncated differential trail. In the inbound phase, which covers only a 
few rounds, we construct solutions that connect low-weight input and output 
differences. In the outbound phase these solutions are propagated through the 
other rounds in both directions. 
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3 Rotational Distinguishers 

In order to convincingly argue that a particular attack algorithm indeed shows 
non-random behavior of a hash function or a compression function, we need to 
argue that an attacker with only a black-box access to an ideal primitive of the 
same domain and range is not able to produce the same behavior with the same 
or better effort and probability. 

Next in this section, we define a basic rotational distinguisher with corrections 
and give bounds on complexity of the resulting problems. Any shortcut algorithm 
will have to beat those bounds in order to make a convincing case for an attack. 
To do this, we adapt two known distinguisher concepts. The q-multicollision 
distinguisher of 0 will be the basis for a rotational distinguisher with corrections 
fixed by the attacker. 

3.1 Rotational Distinguishers with Fixed Corrections 

Due to the presence of counters, the rotational input pairs in Skein never convert 
to rotational output pairs. However, low-weight corrections applied to the input 
pairs, admit such a conversion: 

Skein(W © e) = Skein(W), 

where Skein is the compression function F, with reasonably high probability. We 
say that X is a rotational collision for function /, if 

f(X) = J{X(Be). 

When the rotational correction is not fixed, the rotational collision search com- 
plexity is given by an equivalent of the birthday paradox and is about 2 n / 2 . 

However, we provide a stronger distinguisher for the Skein compression function 
F, which asks for a set of rotational collisions with the same correction e: 

| h*i) = F{% © e); 

F(X 2 ) = F{% © e); 

FVQ = F(X q 0 e). 

Since the value of e is defined from the first equation, each new rotational collision 
costs about 2 n for a random function, and less for the Skein compression function 
as we show in the further text. 

However, we prove the advantage of our distinguisher in a more strong setting 
by taking into account the fact that the Skein compression function is built on 
a block cipher E K (P): 


F(IV, M) = E IV (M) © M. 
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We admit corrections only in the IV, so a rotational collision is formulated as 
F(IV,M ) = F(JV © e, M) <t=k 

<=» EMM) 0 M = Eyy Se (M) © M ^ E IV (M) = £^ 0e (M). 

Thus the appropriate definition is as follows. 

Definition 1. A set 


{e; (Pi,Ki), (P 2 ,K 2 ),...,(P q ,K q ))} 
is called a rotational (/-collision set for a cipher Ek{-) if 

EMA) = %© e (K); 

E Kq (P q ) = E K(Be (P q ). 

We follow the line of the first attack on the full AES |3j and compare the prob- 
lem of finding a rotational collision set for an ideal cipher with that for reduced 
Threefish. Our results demonstrate that the versions of Threefish that we con- 
sider do not behave like an ideal cipher, and, thus, does not provide required 
security level for the Skein mode of operation (i.e., violate the random oracle 
property). 

The complexity of the generic attack in measured in the number of queries to 
the encryption and decryption oracles of an ideal cipher. 

Lemma 1. To construct a rotational q-collision set for an ideal cipher with an 
n-bit block an adversary needs at least 0{q ■ 2«+ 5 ") queries on the average. 

Proof. The proof is similar to the proof of the multicollision lemma in 0. We 
provide only a sketch of it. 

First, we show that a rotational collision set is uniquely determined by q + 1 
query parameters. Then for any such set we compute the probability that it gives 
a collision set. The exact formula depends on the total number L of queries and 
their configuration, but the lower bound is 

L > Q(q- 2^ n ) 


4 Rotational Rebound Attack on Skein 

4.1 Overview 

Our attack consists of three parts: an inbound phase, an acceleration phase, and 
an outbound phase. In the inbound phase we prepare enough rotational pairs of 
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K s ~ 1 K s K s+1 


Outbound Acceleration Inbound Acceleration 
Fig. 1 . The complete rotational rebound attack on Skein-256, -512 


Table 2. Structure of the rebound attack on Skein 


Outbound 

Acceleration I 

Inbound 

Acceleration II 

Rounds | Probability 

Rounds 

Rounds 

Rounds 

Skein-256 (53 rounds) 

3-42 | 2 -244 | 

| 43-44 

45-52 

53-55 

Skein-512 (57 rounds) 

3-46 | 2 -495 | 

| 47-48 

49-56 

57-59 


states for the outbound phase. The acceleration phase speeds up the outbound 
phase. An illustration of the attack proposal is given Fig. [!}, while also given in 
Table El 

The probability of the outbound phase depends on the values of particular 
key bits (see details in Section ^31 • As a result, we put global conditions on the 
keys, which are given in Tables 01 and 0 

For the distinguisher, we produce many M and K, such that 

% 0e (M) = E K (M), 

where E is the Threefish-256 reduced to rounds 2-54 (2-58 for the 512-bit ver- 
sion). For the Skein compression function, we produce many M, IV, and T such 
that 

F{IV\ | T®e,M) = F(IV\\T, M ) 

for the same e. The total complexity is about 2 244 per pair in Skein-256, and 
2 495 per pair in Skein-512. Therefore, we are able to construct a set of rotational 
collisions for the Skein compression function with complexity lower than for 
a random function. Also, we can construct a rotational (/-collision set for the 
cipher Threefish with complexity lower than for an ideal cipher. This proves the 
relevance of our attack. 
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Table 3. Pre-fixed values of key bits in Skein-256. The middle 58 bits of ki coincide 
(with regard to the rotation) in related keys. 



K 0 

Ri 

k 2 

Ks 

k 4 

K 

0111. .10 

0100.. 11 

0011.. 10 

0000.. 11 

0101. .01 

K®e 

11. .0011 

00.. 1010 

11..0110 

00.. 1001 

01. .0011 


Table 4. Pre-fixed values of key bits in Skein-512 


0011. .01 0000..01 


0111. .10 0000.. 01 


0000..01 0001. .10 


11. .0010 00..0001 


11..0011 00..0010 


00..0001 01..0101 


4.2 Inbound Phase 

The inbound phase can be seen as the inner loop of the attack algorithm. The 
goal is to use all degrees of freedom available to efficiently provide enough start- 
ing points for the outbound part. The details depend on the variant of Skein 
considered, the choice of round key additions that are covered by the inbound 
phase, etc. In the following we describe the technique in a way that is indepen- 
dent of such details. 

Let us consider 8 consecutive rounds. The addition of the round key K s in 
the middle will be our matching point. We enumerate a large set of internal 
states both before and after the round key addition such that (1) the expected 
rotational trail is followed in the 8 rounds, and (2) it is possible to compute a 
subkey K s that matches the global constraints set up for later phases of the 
attack, and connects those two internal states. In experiments we found that by 
simply forcing a part (less than a quarter of the bits) of the state to a particular 
value can lead to pairs following a rotational trail with probability 1 for 3-5 
rounds in forward direction. For the inbound phase we actually need less. Two 
rounds in forward direction and backwards direction is enough for both chunks 
of 4 rounds we operate on independently. In addition, for those two rounds, 
many differentials exist that allow for manipulation of the outputs of those 4- 
round chunks in a way that resembles message modification techniques in MD5 
or SHA-1 12 112 011 . To connect those chunks of 4-round computations, we use the 
degrees of freedom in the choice of the subkey K s . The global conditions 

On the other hand, note that this does not fully determine the key yet, as the 
compression function also has a tweak input which serves as another source for 
degrees of freedom. This leaves some control over subkeys K k+1 and K k ~ l . 

4.3 Acceleration Phase 

The acceleration phase of the attack may be seen as part of the inbound phase 
or part of the outbound phase. Technically, starting from here computations 
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are done in an inside-out manner, yet remaining degrees of freedom are used to 
accelerate the search for right pairs in the outbound phase. 

As soon as we get a right pair of computations for the inbound phase, we 
produce many more of them from the given one as follows. We follow the simple 
idea of neutral bits as e.g. applied in the analysis of SHA-0 and SHA-1 pj. 
We view them as auxiliary path j^j (also formalized as tunnels or submarines 
in jll 11911 7j ) and apply the differences specified by the path to the key and the 
tweak. 

The configuration of the auxiliary path for Skein-256 is given in Table 0 We 
apply the original path difference to the first execution of the pair, and the 
rotated path difference to the second execution. 

We consider 0-differences here, so we have to take into account the fact that 
the tweak and the key are added by the modular addition. Therefore, we choose 
the difference so that the probability of the carry is low. However, since adjacent 
bits are often neutral as well, a carry bit may still preserve the rotational pair. 

Table 5. Configuration of the auxiliary path for Skein-256. Ki is the i-th word of the 
first subkey K° . 


Round 

Subkey 

Subkey words 

45 

K 11 

Kl 

k 2 

k 3 

Ki 



0 

0 

S 

5 


Tweak 

Tweak words 


I’ll 


2® 

T 0 





0 

S 


49 

K 12 

k 2 

K s 

Ki 

K 0 



0 

S 

5 

0 


T 12 


T 0 

Ti 





6 

S 


53 

K 13 

k 3 

k 4 

K 0 

K\ 



S 

5 

0 

0 


rp 13 


Ti 

2® 





S 

0 



In Skein-256 we take various 6 and apply the resulting auxiliary path Vs to 
the right pair. We choose 6 so that the differences in the subkey K 12 compensate 
each other. Then we check whether the modular additions in rounds 43-44 and 
53-55 are not affected by the modification. If so, we get another rotational pair 
for rounds 43-55. 

In experiments, we found that 44 of the 64 possible individual bits that re- 
sult in a local collision of the latter type behave neutral with probability larger 
than 0.75 for three rounds in forward direction and simultaneously two rounds 
in backwards direction, 37 consecutive bits of those have a probability very close 
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to 10. Details for this phase will be found in Appendix in Table El Overall, 
the results mean that every time those five rounds in the outbound phase are 
computed, and the effort of those is less than 2 37 , the amortized effort for those 
computations will be negligible. If the effort for those five rounds is more, the 
effect of this acceleration phase, the speed-up, still grows roughly exponential 
with the number of neutral bits used. 


4.4 Outbound Phase 

We follow the idea of ma, and introduce corrections in the Threefish keys. But 
unlike m we consider modular corrections, i.e. we define the related-key pair 
by ( K , K + e), where e is a low- weight correction, “+” is modular addition, 
and the rotation amount is fixed to 2 to bypass the key schedule constant. Each 
64-bit word w in Skein can be seen as a concatenation of two words w \ , w 2 , i.e. 
w = w\ \\w -2 where W\ represent the two most significant bits of w and w 2 the 
rest 62 bits. 

To obtain a high number of rounds in the outbound phase, we carefully choose 
optimal corrections and fix some of the key bits. More specifically, we found the 
best values of key bits with the optimized exhaustive search. Now we explain 
how to optimize the search in Skein-256 (Figure 0. 

We consider two rounds of Skein-256 with a subkey addition in between 
(rounds 4-5, 8-9, etc.). Note that the outer double rounds (6-7, 10-11, etc) simply 
keep the rotational pairs, so the probability does not depend on the number of 
round. The outer rounds probability is 2 -8 5 for Skein-256 and 2 -17 for Skein- 
512. 

We denote the four words of the internal state before the double rounds by 
(A,B,C,D). Therefore, we have 

(A,B,C,D) = (a.i | |a,2, bi\\b 2 , si||s2, iilfe); 

(A,B,C,D) = (a 2 ||ai, b 2 \\h, s 2 ||si, h ||fi). 

Similarly, we denote by 

K=[k 1 \\k 2 , k 3 \\h, k 5 \\k 6 , k 7 \\k 8 }; K®e=[k' 2 \\k' u *411*4, *411*:', k' 8 \\k' 7 \. 

the rotational pair of subkeys. Then the corrections e, can be defined as 

e i = ^2i+l I l^2i+2 — fej+l | |* : 2i+2- 

In Figure 0 the pairs are presented one a top of another with the symbol ” 

- between them. By C Zl we denote the carry from the stun Zi + . . .+ 2 ^, i.e. 

1 The fact that carries have to behave equivalently for round key additions in both 
forward and backward direction puts constraints on the inbound phase which are 
ignored here to keep the exposition simple. This either results in less degrees of 
freedom available to perform the exhaustive-search part of the attack, or reduces the 
number of possible combinations of neutral bits, and has to be taken into account 
in the overall estimate of the time complexity. 
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when Zi < 2 r , then C Zlt ... >Zk = (zi + . . .+Zk) ^> r . The variables r, v, T>, U, x, / are 
introduced to maintain the 2 + 62 bit representation of the words. With i = + 1 | i-2 
we denote the round counter. Since the rotation preserves the rotational property, 
we can omit the rotations in the second round of the double subkey rounds, and 
only require rotational output pairs after the additions in this round. To obtain 
such pairs for the first output, the following conditions have to hold: 

(ll + bi + ki + X± + Cq 2 , b 2 ,k 2 ,x 2 = T bi + Xi + ki 

t t 2-2 t = ®2 i ^2 t 4 f ^2 f 

Similarly, for the rest 3 outputs, we get the following conditions: 

Wl + ks + IA2 + C w 2,fe 4 '• Wl + fcg 

W2 + /u 4 = W2 + + Hi + 

Si + ti + &5 + fi + C S2t t 2 ,k 6 J 2 = Si + ti + k' 5 + fi 



12 D. Khovratovich, I. Nikolic, and C. Rechberger 


S2 + fa + kg + h = s 2 + fa + k' 6 + + G Sl>tukUi 

ei + &7 + 7^2 © G e2j hs,i = k 7 fa 


e 2 + kg + i = C2 + kg + ii + Di + Ge lt k' T ,i2 


The above 8 equations, can be reduced to: 


k[ - fci = C a2 , b2 ,fe 2 , X2 
k '2 — k2 = ~Gai,bi,k’ x &i 

k' 3 -k 3 = c W2M +u 2 

k' 4 — k4, = —(C Wl! k' 3 +U\) 
k§ — k$ = C S2t t 2 ,ke,f2 
k' 6 — ke = — C Slitlt k' 5 ji 

k 7 — k 7 = C e2i k s ,i + T>2 — fa 
k , 8 -k 8 = i-i 1 -(C euk ^ i2 +V 1 ) 


(1) 

(2) 

(3) 

(4) 

(5) 

(6) 

(7) 

(8) 


This system gives as a hint how to choose the corrections e, and the values of 
some of the subkey bits. For each carry C Zl ..... Zk it holds 0 < C Zl; ,,, :Zfc < k. 
Yet the probability that a carry will take a specific value in this range, when Zi 
are randomly chosen, is not uniformly distributed. When the carries come from 
sums with 4 terms, the probability is highest for the values 1 and 2. Therefore, 
for our brute force, we limit the differences k[ — ki, — k' 2 , k' 5 — kg, k' 6 — kg, only 
to these two values. 

The variables Ui,U2,T>i,T>2, are determined as follows: 

= ((S2 + fa + Gsx,tx | © v 2) — ((«2 + fa) © 

U2 = ((si + fa + C S2 , t2 ) © V2) — ((S2 + fa) © ^2) 

D\ = ((d2 + 62 + C aiM ) © r2) — ((®2 + ^2) © 1*2) 

T>2 = ((ai + b\ + C a2! b 2 ) © ri) — ((ai + 61) © ri) 

These variables can take only odd values and a zero. Since C W2t k 4 can take 0, 1 
and U.2 can take 0, 1 it means that k 3 — k 3 (see (0) can also take 1 and 2 (the 
same values as the one for the subkeys discussed above). A similar reasoning 
is applicable to the difference k 4 — k' 4 . The differences k' 7 — k 7 , kg — k 8 that 
are left, are the only one that actually depend on the round counter. Yet, since 
Ce 2 ,k 8 ,i can take the values 0, 10, i.e. it is not fixed but rather flexible, the whole 
expression C e . 2t k 8 ,i T- T> 2 — fa, for any fa can take the values 1, 2 (recall that V2 
can be any odd value). Therefore the difference k' 7 — k 7 can be 1 or 2 (with 
probability that depends on the round counter fa). Finally, let us focus on the 
difference k 8 — kg which is determined by the expression i — fa — C ei j./ 7 ,i 2 — Tfi. 
For a specific counter i, when k 7 + e 2 = 0, the carry G eu k> ^ is fixed. Hence in 
this case, the whole expression can take only one value, 1 or 2, but not the both. 
This limits k 8 — kg to only a single value. 

2 It can take the value 2 as well, but the probability is really low because the counter 
i is only 4-5 bits. 
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Now recall that k t . k\ are the values of the particular subkey words, and not 
the key words. Once we fix all of the differences in the subkey words of some 
round, then in the next round, practically the same differences will appear shifted 
by one index. Also, since the value of the difference in the last key word K4 is 
determined from the other words, we would have to fix the values of k\,kg,kg, k-j 
and the two least significant bits of & 2 , & 4 , &6> kg so that the difference in K4 will 
be as expected. We fix only two bits because we choose the initial difference to 
be 1 or 2. 

In our brute force search, first we find good values for the differences and the 
two most significant key bits of each key word. We try all possible differences 

1 or 2, and then we fix the key bits values, such that the difference in the two 
most significant bits of K4 will also be 1 or 2, and we take into account the 
limitation on k' 8 — kg for each counter. Then, we try all possible differences 1 and 

2 in the least 62 bits of the each key word. We choose the differences that pass 
with highest probability through the double subkey rounds. Also, we fix the 2 
least significant bits in each key word, so that the difference in the least 62 bits 
of K4 will also be 1 or 2. Finally, to increase the probability we fix the values of 
the bits 60,61 (the next two bits after the 2 most significant bits). This results 
in fixing the two most significant bits of k2,k4,kg, kg which in return increases 
the probability that the carries take the expected values. 

Rather than finding the above values through a theoretically small brute force, 
we have tested our approach on a real double subkey rounds Skein-256. That is, 
most of the values, were found and confirmed to be good by taking rotational 
input pairs of states and rotational input pair of key words with corrections and 
testing the probabilities on double subkey rounds. In some cases the theoretical 
probabilities did not coincide with the empirical. This is because there are some 
hidden dependencies. For example, both U\ and k' 5 — kg depend on S 2 ,f 2 - Once 
we had the optimal corrections (and some bit values) of the keys for the double 
subkey rounds, we found the probability for 4 consecutive rounds. We start with 
a random rotational input pair of states and go through three rounds. Then we 
add the subkeys (with the particular counters) and then we go for an additional 
round. 

We fix 6 bits in K: 4 MSBs and 2 LSBs, and 6 bits in K B : 2 MSBs and 4 
LSBs. The values of these bits are given at Table El In Skein-256 the probability 
to pass rounds 3-42 (i.e. 10 key additions) is 2 -244 . A detailed table with round- 
by-round probabilities is given at Table 0 of the Appendix. 

Optimal values for the differences and some key bits can be obtained for Skein- 
512 as well. A property of the double subkey rounds Skein-512 that helps to run 
the brute force search is that these two double subkey rounds can be split into 
two non- intercepting halves (see Fig 0 in the Appendix). Then, for each half, the 
optimal differences can be found independently. Note that this simply speeds 
up the brute force for optimal differences and values, but has no impact on the 
actual probability of the inbound phase. Unlike Skein-256, in Skein-512 we could 
not find empirically the probabilities for 4 consecutive rounds because they were 
too low. Hence, we considered each 4 rounds as double round + double subkey 
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round and simply multiplied the probabilities of these two. The values for the 
optimal 6 bits of each key word in Skein-512 are given in Table 0 In Skein-512 
the probability to pass rounds 3-46 is about 2~ 494 (details in Table EJ). 


4.5 Probabilities in the Khovratovich-Nikolic Analysis 

The paper m provided the rotational analysis of Threefish on up to 42 rounds. 
The probability estimates were based on several independence assumptions, 
which must be corrected as follows: 

— The probability of the rotational pair propagation through double 
rounds without key addition (2-3, 6-7, etc.) is not a multiplication of prob- 
abilities for a single round. The problem is that two consecutive modular 
additions ((a EB b) EH c) have lower rotational probability than expected. For 
example, the rotational probability of one round in Skein-256 is 2 -335 for 
the rotation by 2, but the probability of two rounds is 2 -8 - 52 instead of 
22-(-3.35) _ 2- 6 - 7 

— The rotational inputs to the round before the key addition (4, 8, etc.) are 
not uniformly distributed, and this partly compensates the negative effect 
of the dependency (see above). We note that the non- uniformity of inputs 
is best approximated with restricting the two most significant bits from the 
value {00}. 

— The propagation of the rotational inputs through the double round with 
the key addition in Threefish-256, with the appearance and the correction 
of errors, can not be considered as two independent events (i.e., as getting 
rotational pairs in the further MIX operations independently). As a result, 
the probability of this event can not be computed as a multiplication of other 
probabilities, and must be computed as a single value. 


4.6 Degrees of Freedom Analysis 

Now we discuss the following question: How often can this inbound phase be 
repeated? After fixing the differences and the corrections, for Skein-256 we have 

256 + 256 + 128 = 640 

degrees of freedom available to perform the attack. The outbound phase fixes 
24 of the 256 bits of the key, (also 12 bits of the 128-bit tweak), and in addition 
may need up to 256 bits to follow the longest possible trail with high probability. 
What remains is 

640 - 36 - 256 = 348 

degrees of freedom to be spent by the inbound and the acceleration phase. If vari- 
ants with less rounds are targeted, this number is higher, as less repetitions are 
needed for the shorter outbound phase. Overall, this is enough for our purposes. 
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4.7 Summary and Complexity Estimates 

We experimentally verified the probabilities of the outbound phase, and took 
various dependencies into account, and also experimentally verified parts of the 
acceleration and inbound phase. 

Using the Skein-256 compression function as an example, we describe the 
resulting attack. As illustrated already in Fig. d the 8-round inbound part is 
performed close to the output of the cipher /compression function, the 5 round 
acceleration area (3 rounds in forward direction and 2 rounds in backward direc- 
tion) surrounding it. The majority of the inside-out computation is then done 
in backwards direction, covering about 40 rounds. In total this gives about 53 
rounds. Additionally, early stopping techniques will only require the computa- 
tion of a small number of rounds in the outbound part before another trial is 
made, saving a factor of the computational complexity that is in the order of 
the number of rounds. 

We estimate the amortized cost for the rounds covered by inbound and accel- 
eration phase for both Skein-256 and Skein-512 by 1, as there are plenty of long 
ranging neutral bits that cover up costs in solving the right pairs in those inner 
rounds. In Skein-256, we will spend 2 244 in the outbound+acceleration phases 
to find 2 244 starting pairs for the outbound phase. One such pair will pass this 
phase with probability close to one. Therefore with an effort that is roughly 
equivalent to 2 244 calls to the compression function of Skein-256 we can find one 
rotational pair of messages and chaining values (with corrections) that produces 
a rotational pair of updated chaining values. To produce 2 7 such pairs, i.e. to find 
2 7 -rotational collisions in Skein-256, we only need 2 7+244 = 2 251 calls. On the 
other hand, in a random function one has to make at least 2 7 • 2 128 + 2 256 ps 2 255 
calls (see Lemma QJ. 

Similarly, for the compression function of Skein-512, we can create 2 8 rota- 
tional collisions with 2 8+49S = 2 503 compression function calls, while a random 
function would require 2 8 • 2^5+f 512 « 2 512 calls. 

5 Conclusion and Future Work 

Our results do not threaten the practical use of full-round Skein or Threefish. 
However, we show that these constructions behave non-random in settings where 
all or most inputs can be chosen, and this for more rounds than initially thought. 
We do not assume any other modifications. We argue that variants of Threefish 
reduced from 72 to about 53/57 rounds is not an ideal cipher in a similar way 
as AES-256 was shown not to be an ideal cipher in the first attack on AES [3J . 
For the Skein compression function a similar argument is made. Since Skein has 
a very light-weight output transformation, our non-randomness results can also 
carry over to the actual hash function. There, less degrees of freedom limit, but 
not prohibit, the applicability of some of our new techniques. To summarize, the 
following ideas and approaches lead to the improved results: 
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— The rebound approach as a high-level model for the attack. 

— Considering rotational corrections with respect to integer addition instead 
of XOR. 

— Based on analytic reasoning, we find an efficient search method for fixing a 
subset of input bits before other phases of attacks. 

— Using the degrees of freedom in the internal state to efficiently solve for the 
inner 8-rounds. 

— Using the 8-round local collision as long-range neutral bits in an inside-out 
manner to speed up the outbound phase. 

It will be interesting to study how rotational properties found in other construc- 
tions, some of which have been reported recently, can also be amplified in a way 
similar to what we demonstrated in this paper for Skein. The inbound and accel- 
eration techniques we use in our analysis are to a large extent independent of the 
statistical property that is meant to be produced at the inputs and outputs of 
Skein. Hence, in addition to the rotational attacks described in this paper, also 
more traditional differential attacks aiming for collision or near-collision attacks 
will be able to take advantage of those techniques. 
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A Details 


Table 6. Neutral bits in the acceleration phase. These are used in an inside-out manner, 
with those computations being 8 rounds apart. A single 64-bit word is used, enumera- 
tion is from 0 (LSB) to 63 (MSB). The probabilites are measured over 100 right pairs 
over two rounds backwards and three rounds forwards direction for Skein-256. 


bit 

prob. 

bit 

prob. 

bit 

prob. 

bit 

prob. 

bit 

prob. 

bit 

prob. 

bit 

prob. 

bit 

prob. 

7-17 

1.00 

18 

0.99 

19 

1.00 

20 

0.99 

21 

1.00 

22 

0.99 

23 

1.00 

24 

0.99 

25 

0.95 

26 

0.94 

27 

0.93 

28 

0.82 

31 

0.79 

33 

0.86 

36 

0.77 

38-45 

1.00 

46 

0.99 

47 

1.00 

48 

0.99 

49 

0.98 

50 

0.97 

51 

0.96 

52 

0.96 

53 

0.96 

54 

0.90 

55 

0.84 














Table 7. Round-by-round rotational probabilities for Skein-256 


Rounds 

1-2 

3-5 

6-9 

10-13 

14-17 

18-21 

Prob. log2 

- 

-15.13 

-21.97 

-21.84 

-24.44 

-24.69 

Rounds 

22-25 

26-29 

30-33 

34-37 

38-41 

42 

Prob. log2 

-23.83 

-26.09 

-23.44 

-31.75 

-27.09 

-3.3 


Table 8. Round-by-round rotational probabilities for Skein-512 


Rounds 

1-2 

3 

4-5 

6-7 

8-9 

10-11 

12-13 

14-15 

Prob. log2 

- 

-6.7 

-26.35 

-17.05 

-26.21 

-17.05 

-24.26 

-17.05 

Rounds 

16-17 

18-19 

20-21 

22-23 

24-25 

26-27 

28-29 

30-31 

Prob. log2 

-28.26 

-17.05 

-28.29 

-17.05 

-23.79 

-17.05 

-23.56 

-17.05 

Rounds 

32-33 

34-35 

36-37 

38-39 

40-41 

42-43 

44-45 

46 

Prob. log2 

-27.18 

-17.05 

-32.23 

-17.05 

-35.17 

-17.05 

-31.86 

-6.7 
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Fig. 3. Double subkey round in Skein-512 divided into two nonintersecting halves 
red and blue 
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Abstract. In this paper we study the second preimage resistance of 
Hamsi-256, a second round SHA-3 candidate. We show that it is possible to 
find affine equations between some input bits and some output bits on the 
3-round compression function. This property enables an attacker to find 
pseudo preimages for the Hamsi-256 compression function. The pseudo 
preimage algorithm can be used to find second preimages of the digests of 
messages M with complexity 2 251 ' 3 , which is lower than the best generic 
attacks when M is short. 

Keywords: hash functions, Hamsi, second preimage. 

1 Introduction 

Haims i is a family of hash functions that have been submitted to the NIST SHA-3 
competition by Kiigiik It contains 4 versions, with respective outputs of 224, 
256, 384, and 512 bits. It is based on the Merkle-Damgard domain extender, 
however its design is rather original as it does not make use of a block cipher in 
Davies-Meyer mode. The Heims i compression function uses short message blocks 
and its security relies on a complex message expansion. Instead of a keyed per- 
mutation, a fixed permutation is applied to the concatenation of the incoming 
chaining variable and the expanded message. The new chaining variable is ob- 
tained by truncation of the output of the permutation and feedforward with the 
previous chaining variable. 

Previous work. Several distinguishers on the Hamsi compression function have 
already been discovered. Some of them rely on the fact that the algebraic degree 
of the internal permutation is small. In P, Aumasson noticed that the algebraic 
degree of 5 rounds of the compression function as a function of the incoming 
chaining variable is at most 243. Aumasson and Meier then enhanced this obser- 
vation to find zero-sum distinguishers on a 6-round version of the compression 
function j2|. Several results of differential cryptanalysis have also been found 
on the compression function. As a difference on the message has only a small 
probability to propagate, they concern pseudo near collisions on the compression 
function (8'1'fij . Calik and Turan found out that for some given differences in the 
incoming chaining variables, the difference on one output bit of the compression 
function can be predicted with probability one, leading to a pseudo preimage 
attack 0. 

M. Abe (Ed.): ASIACRYPT 2010, LNCS 6477, pp. 20 [37] 2010. 
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Our contribution. In this article we describe a weakness of the Hamsi compres- 
sion function, that can be used to find second preimages for Hamsi-256 with 
a complexity equivalent to 2 251 " 1 * 3 compression evaluations, improving the best 
known attack for short messages. This is the first attack that breaks the generic 
bounds for one of the second round SHA-3 candidates. Our method can be re- 
lated to cube attacks jjj] and AIDA cn It is based on an accurate choice of 
the variables, and on the setting of some initial conditions on the internal state 
to control the propagation of these variables and to prevent the algbraic degree 
from growing. We aim at solving a system of polynomial equations, and herefore 
we set the values of some variables to constants and try to solve the system 
with the remaining variables. Our main idea consists in setting some conditions 
on the message block and the chaining variable in order to find affine relations 
between the output of the compression function and some bits of the incoming 
chaining variable. These relations can be used to find second preimages for the 
full hash function. 

Related work. Shamir and Dinur independently discovered an algebraic second 
preimage attack against Hamsi-256 based on cube techniques. Their attack was 
presented at the Crypto 2010 rump session, and also breaks the complexity of 
generic attacks against single-pipe Merkle-Damgard hash functions when the 
initial message is short m- 

Outline of the paper. In Section ED we briefly describe the hash function Hamsi- 
256. In Sectional we display two algebraic properties of the S-box used in Hamsi, 
and show how to use it to write the result of the first two rounds of the com- 
pression function as an affine function of some bits of the chaining variable. 
After that we show how to extend this property to find affine equations on the 
full Haims i-256 compression function in Section 0] Under some conditions on the 
message block and the incoming chaining variable, we managed to find 14 (resp. 
11) output bits of the compression function that can be written as an affine 
function of 7 (resp. 8) bits of the incoming chaining variable, the message block 
and the rest of the chaining variable being fixed. In Section 0 we describe how to 
use these equations to find pseudo preimages for the full Hamsi-256 compression 
function, along with some optimization techniques and an evalation of the com- 
plexitvQ. Then, in Section El we show how to use the pseudo preimage algorithm 
to find second preimages for the full hash function with a complexity equivalent 
to 2 251 32 compression evaluations, which is our main result. Finally, in Section 0 
we study the application of generic techniques on the Merkle-Damgard domain 
extender variant used in Heims i. The resulting complexity is slightly higher than 
in the case of the Merkle-Damgard domain extender, due to the fact that the 
message blocks have less entropy than required for a direct application of generic 
techniques. Therefore our second preimage attack is more efficient than generic 
techniques when the initial message is short. 

1 A pseudo preimage of a chaining variable C* is a couple (m, G) where m is a message 

block and C is a chaining variable such that the result of the compression function 

T[C, m ) is C*. 
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Notation. Throughout the paper, variables represented by small letters are 32- 
bit variables, and capital letters stand for the whole internal state, or messages. 
The ji-th LSB of variable v is denoted v^>. 

H(M) represents the digest of message M by Hamsi-256. T{C, rn) stands for 
the output of the Heuns i-256 compression function applied to chaining variable 
C and message block m, and the iteration of the compression function on several 
message blocks is defined recursively as follows: 

.Fi(C,mi) = T(C, mi) 

Vi > 2, . . . ,nni ) = T{Ti-\(C, mi, . . . ,mj_i),mj) 

2 Description of Hamsi-256 

In this article we focus on Hamsi-256. Our technique also applies to Hamsi-224, 
however, unlike for Hamsi-256, it does not break the generic bounds. 

Heims i-256 uses a compression function that maps a 256-bit chaining variable 
Hi- 1 and a 32-bit message block to a new 256-bit chaining variable. It consists 
of the following operations: 

Message expansion. Firstly, the 32-bit message block m is expanded into a 256- 
bit variable £(M) = (mo, ...,mr). The expansion function is a linear code over 
GF{ 4). 

Concatenation. The expanded message is then concatenated with the incoming 
chaining variable C = (co, ..., cr) to produce a 512 state S represented by a 4 x 4 
matrix of 32-bit registers. The concatenation function is the following: 

C : (E(M),C) -> ( s 0 , si, s 2 , S 3 , = ( m 0 , mi, c 0 , ci, 

S4, S5, Sq, S7, C 2 , C3, TO2, m3, 

$8, s 9, s 10, $lli to 4, 1715, C4, C5, 

S 12 , S 13 , S 14 , S 15 ) C 6 , cr, me, mr ). 

Round function. After the concatenation the following round permutation is 
applied three times (or eight times for the last message block): 

11 : S ^ £{S(A{S))), 

where A consists in adding a constant value and a counter to the state, S 
is a substitution layer based on the use of the second 4-bit to 4-bit S-box of 
Serpent and L is a diffusion layer that operates on 4 sets of 4 32-bit variables in 
parallel. 

More precisely, S consists in applying, for alii £ (0 ... 3} and j f {()... 31}, 
the S-box to bits j of words .s, , Sj + 4 , Sj+s, s*+ 12 - In other words, the same S-box 
is applied in parallel to the 128 columns of the internal state. 
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Table 1 . S-box used in Hamsi. Inputs and outputs in hexadecimal, Isb of x corresponds 
to words so, , S3. 


X 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

A 

B 

C 

D 

E 

F 

%] 

8 

6 

7 

9 

3 

G 

A 

F 

D 

1 

E 

4 

0 

B 

5 

2 


The diffusion layer works as follows. It takes as inputs (a, b, c, d ) = (so, S5, sio, 
S15) (resp. (51,56,511,512), (s2,S7,S8,si3), (S3, S4, S9, S14)) and consists of the 
following operations: 

a := a <gC 13 
c := c <gC 3 
b := (b © a © c) 
d := (d ® c ® (a 
a '■= ( a®b®d ) 
c := (c ® d® (b 

Truncation and feedforward. After the third round, the output of the compres- 
sion function is obtained by applying a truncation function to the state and 
xoring the result to the former chaining value. 

T : S — > S = (so, Si, S2, S3, S8, S9, Sio, Sn) 

X : E C* = C ® E. 

Domain extender. To build a variable-length hash function, Hamsi makes use of 
the Merkle-Damgard construction. The padding consists in concatenating to the 
message a “1” and as many “0”s as necessary to get an integer number of blocks, 
and then by further concatenating the message length encoded on 64 bits. For 
the last block, the permutation consists of 8 rounds (instead of 3). 

3 An Observation on the Two-Round Hamsi-256 
Compression Function 

In this Section we focus on a reduced version of the Haims i-256 compression 
function, where the internal permutation is reduced to two rounds. The result 
we get will be used in the following Sections to break the full version of Hamsi- 
256. We show how to find pseudo preimages for this reduced-round version of 
the compression function. 

3.1 Study of the Hamsi S-Box 

On the Haims i S-box we notice the following properties. 

We use the fact that S[9] = 1, 5[C] = 0, S[B] = 4, and 
that 

V(x,b) e {0, l} 2 , S[(a;, b, x, 1)] = (x + b, 0,6, 0). 


= 5 to deduce 
(1) 
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As a result, only one bit of the output depends on x. Similarly we have S[3] = 9 
and S' [9] = 1, which leads to 

Vx £ {0,l},S[(l,z,0,£)] = (1,0, 0,x). (2) 

If the input of an S-box depends on only one variable bit, then the output of the S- 
box can be expressed as an affine function of this bit. with that in mind, properties 
Q]and|21have been found according to the following criteria. First, only one output 
bit of the S-box should depend on x. Second, input bits 0 and 2 or 1 and 3 must 
not depend on x, so that for an appropriate choice of a first round S-box, only the 
input bits coming from the chaining variable depend on x. 


3.2 An Interesting Set of Variables 

Let us now consider any value of the message block m. Without knowing the 
incoming chaining value, we can compute so, si, S 6 , S 7 , sg, sg, S 14 , S 15 after the 
first round constant addition. Let us now suppose that the j-th bit of s 14 is 
Sj 4 = 1. Then, independently of the value of Sq\ if sP = and sff = x^\ 
only the first output bit of the j-th S-box of the 3-rd column will depend on 
(according to equation GJ . Let J be a set of variables that satisfies this property. 

We can then define one variable bit £ {0, 1} for each j such that = 1. 
After the first S-box layer, only the word S 2 depends on the variable set X = 
{x^}j£j, through an affine relation. After the first round diffusion layer and 
the second round constant addition, words 82 , 87 , -Sg, and .s j 3 depend linearly on 
X, which means that only one input bit of each S-box of the second substitution 
layer can depend on X. As a consequence, the output of this layer is also an affine 
function of X. The second diffusion layer, the truncation and the feedforward 
cannot increase the degree, so the whole output of the compression function is 
an affine function of X. 

3.3 Building and Solving the Linear System 

We can then try to invert the 2-round compression function T , ie to find a 
message block M and a chaining value C that maps to a given value C* . The 
idea is to express the output of the compression function as an affine system of 
a given set of variables, and to solve this system. With an appropriate choice 
of variables, we know that the system is affine but we first need to compute its 
coefficients. To achieve it we do the following: 

1. Choose a message block M and compute the resulting value of S 14 before 
the first substitution layer. 

2. Compute the resulting set of variables X = {x^}j e j. If | J| < 16, choose 
another value for M. 

3. Choose a chaining value C such that for all j £ J, s^p ® = 1 after the 

first constant addition. C is then divided into a variable part (the bits cP 
and C 4 for j £ J) and a constant part (the other bits). 
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4. Compute T(M , C ) to get the constant coefficients of the system. 

5. For each j £ J, derive Cj from C by complementing the values of Cq 5 '* and 
c- 4 J) . Compute T(M, Cj) © T(M, C) to get the coefficients of x^K using an 
interpolation method. 

6. Solve the affine system of 256 equations in |J| unknowns to find a preimage 
of C * . If it has no solution, choose another value of the constant part of C. 
If all the values have been tried, increase the value of M. 

We can then assume that the complexity of solving the resulting equation system 
is smaller that the complexity of one evaluation of the compression function. To 
avoid useless computation, one can for example try to find solutions to subsys- 
tems, and abort as soon as an inconsistency is detected. Each system allows us 
to test 2I" 7 ! values of T(M, C) with a complexity of less than J + 2 evaluations 
of the compression function. As | J| > 16, the total complexity of this algorithm 
is about 18 x 2 256-16 rj 2 244 compression evaluations. 

4 Linear Equations for the Full Hamsi-256 Compression 
Function 

In this Section we show how to apply similar techniques to find linear equations 
for the full Hamsi-256 compression function. 

If we try to use the same property on the S-box as in the previous Section, we 
cannot find any large set of variables that lead to linear equations. To this end, 
property 0 is more interesting. If the message block is such that before the first 
substitution layer, s = 1 and = 0, if we set s'^ = and = .»&), 
only the jr-th bit of S12 depends on after the S-box layer. The same remark 
applies to si, ss, sg, S13, with s® = y^\ = yCi), = 1, and = 0,. 

In comparison with the technique used in Section 0 we use more freedom 
degrees (for each variable, two bits of the message and one bit of the chaining 
variable). However, as S 12 is the d input of the diffusion layer, the dependence 
in does not propagate fast during the first round. 

The internal state S before the permutation rounds can then be divided into 
three parts: 

— Variable bits: The sets of variables X, Y. 

— Conditional bits: Bits of the initial internal state that must take a given 
value so that the dependence of the internal state in the variables after the 
first substitution layer are as described in equation 0 Each Variable bit 
requires the definition of three Conditional bits: two on the message block 
and one on the incoming chaining variable. 

— Constant bits: All the other parts of the internal state. 

These bits are not necessarily directly bits from the incoming message block or 
chaining variable: they can be a linear function of such bits. For example, when 
considering equation 0 the Conditional bits on the incoming chaining value are 
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the exclusive or of two bits (s^ and , or and aj'3 ). The corresponding 
Variable bit can then be taken as the value of one of these two bits. 

As a result, it is possible to find sets of variables X = {2;® }je j x and Y = 
{2/ jfeJj, such that some output bits of the whole compression function depend 
linearly on the Variable bits X, Y, provided the Conditional bits take a given 
value and once the Constant bits are set. 

Algebraic properties of the Hamsi -256 S-box. To find these sets of variables we 
have to take into account the following properties. 

1. Any function / from 1 bit to n bits is affine. It can be defined as f(b) = 
/( 0) ® (/( 1) ® /(0))6. Therefore, if all input bits of a 4-bit S-box are constant 
except one, the output ofthe S-box is an affine function of the remaining input 
bit. If this input bit is an affine function of the variables in X U Y, it is also 
the case for the 4 output bits, as a composition of affine functions. 

2. Similarly, if the input of an S-box depends on only one of the variables, its 
output is an affine function of this variable. 

3. If (bo, bi, 62, 63) is the output of an S-box with input (a 0, , 02, 03) : the only 

nonlinear monomial in the expression of bo is aoa 2, and 63 only depends on 
nonlinear monomials ao®i®2 and 0103. Therefore, if the monomial do® 2 is an 
affine function of V U Y, so is bo- Similarly, if monomials 0103 and 000102 
are affine in X U Y, so is 63. 

We will now use these properties in an automated search as sufficient conditions 
to guarantee that some final and intermediate bits involved in the computation 
of the compression function are affine functions of a set of variables. 

Optimal sets of variables. For our second preimage attack we then have to deter- 
mine optimal sets of variable bits. In our attack two phases are time-consuming: 
the generation of the affine equation system, and the test of the solutions. The 
complexities mainly depend on the number of variables N var and the number 
of resulting affine equations N eq . For a given number of variables N var , we then 
look for the choice of the variable set that leads to the largest affine equation 
system, using an exhaustive search. The cost of the system generation decreases 
when the number of variables increases, whereas the cost of testing the solutions 
mainly decreases when the number of equations increases. A precise evaluation 
of the complexity of the attack is given in section 0 The optimal values for N var 
and N eq can then be found as a tradeoff between the complexity of these two 
algorithms. 

Furthermore, the equation systems that have been generated can be reused 
if one tries to find a pseudo preimage for multiple targets, which is the case in 
some parts of our attack. Therefore, the optimal sets of equations are different 
in the different parts of the attack. 

Finding the optimal sets of variables. For a given value of N var , we determine 
the set X U Y of variables that leads to the maximal value of N eq . We achieve it 
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through an automated exhaustive search on all the sets of variables X± U 1/ that 
contain exactly N var elements. 

Let us now consider a fixed set XuY. We try to determine which output bits 
can always be expressed as an affine function of the Variables of X U Y, under 
the assumption that all the Conditional bits take the right constant value and 
that all the Constant bits are fixed. We then do the following: 

For each pair of variables {z, z'} € X U Y, we determine the set of output 
bits S z<z > that are always affine functions of 0 and z! when the Conditional bits 
take the right value and the other parts of the initial state are set to a fixed 
constant value. How to determine these sets will be depicted below. Once this is 
done, the bits in the set Sx,y = ri{z,z'}exuY$z,z' are affine functions of the set 
of variables X U Y. If the algebraic expression of an output bit b as a function 
of the variables in X U Y contains a monomial of degree 2 or more, let z and z' 
be two variables of this monomial. Then b cannot be in S z . z ’, because for some 
assignment of all the other variables, the expression of b contains the monomial 
zz' . 

Let us now describe how to find S ZtZ >. After the first S-box layer, only one 
bit depends on each of the variables z and z' . We then study the propagation of 
these variables through the compression function. The propagation is not always 
deterministic - it is probabilistic through the S-box layers. For each intermediate 
bit of the internal state, we then determine if it is independent from 2 and z' , if 
it can depend linearly on z and/or z' or if it can be quadratic in 2 and z' . The 
diffusion layer C, is linear. Therefore a bit of the internal state after the diffusion 
layer is always affine in 2, 2' if and only if all the input bits it depends on also 
are always affine in z, z' . A does no change the degree of each bit of the internal 
state. S is nonlinear and can increase the degree. More precisely, if two different 
input bits of a given S-box can depend respectively on 2 and 2/ some output 
bits may be quadratic. At the end of the compression function, T and X cannot 
increase the degree. 

Let us now consider a fixed set X U Y. We try to determine which output 
bits can always be expressed as an affine function of the Variables of X U Y, un- 
der the assumption that all the Conditional bits take the right constant value and 
that all the Constant bits are fixed. Equivalently, we can try to determine the out- 
put bits bi which polynomial expression as a function of the Variable bits can con- 
tain monomials of degree > 2. This means that for some choice of (2, z r ) gill Y 
and for some assignment of all the other variables, the polynomial expression of 
bi can contain the monomial zz' . Therefore, for each choice of (2, z') € X U Y, 
we compute which bits of the internal state can contain the monomials 2, z', 
and zz' during the intermediate computation and in the resulting chaining 
value. 

Using this method, we found the following properties for 7 and 8 variables. 
Provided that the message block and the whole chaining variable except the x 
and y variables, and under the assumption that N con d conditions on the message 
block and the chaining value are verified: 
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— Output bits 9, 18, 44, 88, 144, 152, 183, 185, 188, 193, 219, 221, 228 and 246 
depend linearly on (£3, £26, £30, 2/4, 2/6, 2/7, 2/is), which makes 14 output bits 
and 7 variables with N con d = 21. 

— Output bits 11, 39, 46, 185, 188, 195, 218, 220, 230, 248 and 255 depend 
linearly on (rt'3, £28, £29,2/1,2/6) 2/7, 2/15, 2/31 ) , which makes 11 output bits and 
8 variables with N con( i = 24. 

Once the Conditional bits are assigned the right value and the Constant bits are 
assigned any value, the relation between some output bits (denoted Equation 
bits) and the Variable bits can be described as a linear equation system. 

5 Pseudo Preimages for the Hamsi-256 Compression 
Function 

In this Section we try to find pseudo preimages of a given value C* of the chaining 
variable. We aim at finding to, C such that T{C, m) = C*. In the first subsection 
we describe an optimized algorithm that makes the following operations with a 
reduced complexity. Once we know that N eq output bits to, ■ • ■ , tjv e ,-i are affine 
functions of N var variable bits zo, ■ ■ ■ ZN var - 1, computing the inverse of the com- 
pression function can be achieved as follows. We also give here a correspondance 
between the operations described and the steps of the algorithm that compute 
them. 

— Set the initial value of the chaining variable C and the message block m such 
that all the conditions are verified (steps 1 and 2). 

— Compute the output bits to, • • • , tjv e ,-i of T(C, to) (steps 3 to 7). 

— The output bits to, • ■ ■ ,tjv e9 -i °f the compression function is then an affine 
function of the variables. Compute the coefficients of this function (step 8). 

— Solve the resulting system of affine equations (step 9). If it does not have 
any solution, start again. 

— If the linear system has a solution m*, (7*, compute the compression function 
to determine whether , rnj) = C* (step 10). This occurs with probability 
2 JVe « -256 . If not, start again. 


5.1 Building and Solving the Equation Systems 

A basic idea. The first idea to compute the coefficients of the equation system 
would be to reuse the idea of Section 01 More precisely we could evaluate the 
compression function with all the variables set to 0 to get the constant coef- 
ficients, and once for each variable to get the coefficients for this variable, by 
running the compression function. 

But to determine the coefficients, we only need to compute the parts of the 
state that really depend on the Variable bits and impact the Equation bits, which 
involve less computation than running the whole compression function. 

Furthermore, some small changes in the incoming chaining variable do not 
impact immediately the whole internal state. Some parts of the computation can 
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then be reused when computing the constant coefficients of different equation 
systems. We will describe a method to compute these systems below. 

A more efficient method. To achieve a more efficient computation of the coeffi- 
cients, we can use the following ideas: 

— The coefficients of each variable only depend on the propagation of the vari- 
able through the second and the third diffusion layer. Therefore they can be 
recovered from the inputs of the affected S-boxes. 

— The first two rounds of the Hamsi-256 compression function are an affine 
function of the variables defined in Section 0 

We then use a set |J| of 8 variables as defined in sectional denoted auxiliary 
variables, to compute more efficiently 2 8 equation systems. We know from the 
analysis of section 0 that the whole internal state up to the input of the third S- 
box layer are affine functions of these variables, provided that some Conditional 
bits have the apropriate value. Instead of running the whole compression function 
to get the constant coefficients for each system, we only modify one auxiliary 
variable from one system to the next one. Therefore, some intermediate values 
do not need to be computed again. 

Once we have computed the intermediate values of the internal state with all 
the principal and auxiliary variables set to 0, we can deduce all the values of the 
internal state for any of the 2 8 possible assignments of the auxiliary variables by 
studying the propagation of the 8 auxiliary variables through the S-box layer of 
round 2. 

We can then improve the attack as follows. 

1. Set the value of the Conditional bits from the chaining variable to their 
appropriate value. 

2. Choose the Constant bits of the chaining variable, and the message block m 
such that all the conditions are verified. 

3. Choose a set of 8 auxiliary variables such that the resulting auxiliary condi- 
tions are verified. For a random value of the initial internal state, we can find 
8 auxiliary variables with a good probability. If not so, go back to step 2. 

4. Compute the first two rounds of the compression function with all the Vari- 
ables and auxiliary variables set to 0. Keep trace of the results of internal 
operations. 

5. Compute the propagation of the auxiliary variables in the first two rounds. 

6. For each value of the set of auxiliary variables, recover the inputs of the 
S-boxes involving the Variables in rounds 2 and 3. 

7. Recover the constant coefficients by running the part of the third round that 
affect the Equation bits. 

8. Recover the other coefficients of the system by studying the propagation of 
the Variables during rounds 2 and 3. 

9. Solve the resulting linear equation system. If it does not have any solution, 
go back to step 2. 

10. Set the Variable bits according to one of the solutions of the equation system, 
and compute the compression function. If the result is not the target C * , go 
back to step 2. 
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5.2 Complexity Evaluation of the Attack 

We now aim at evaluating the complexity of the different steps of the attack. 
As we try to avoid useless computations, we mainly use operations on bits and 
not on 32-bit registers. We could use parallelism by building several systems 
at the same time, with different values of the Constant bits of the incoming 
chaining variable. Therefore we argue that the right metrics for evaluating the 
complexity of the attack is the number of elementary bitwise operations (AND, 
OR, XOR) it involves. To compare it to generic attacks, we use the analysis 
of Shamir and Dinur da and evaluate the number of bitwise operations in the 
Hamsi-256 compression function to about 10500. 

Steps 1 to 3 are setup steps and have a negligible complexity compared to 
the other steps. We also argue that the choice of auxiliary variables can be the 
same for a large range of systems, therefore the study of which parts of the 
intermediate internal state they impact can be precomputed once and has a 
neligible complexity. 

Step 4 involves the computation of about 2 out of 3 rounds of the compression 
function. A careful analysis of which output bits of the S-boxes need to be 
computed and which parts of the linear diffusion layers need to be run leads to 
5248 operations for the 7-variable systems and 4852 operations for the 8- variable 
systems. 

Step 5 involves the computation of at most 7 second round S-boxes per aux- 
iliary variable, and at most 7 X 20 = 140 XOR operations per variable for the 
second round diffusion layer, which makes at most 1120 elementary operations 
for 2 8 systems. 

Step 6 consists in xoring the values of the inputs of some S-boxes before 
rounds 2 and 3 for different values of the auxiliary variables. The values of these 
variables can be chosen following a Gray code, to minimize the parts of the state 
that ha to be computed again. Therefore, only 7 input bits of the second S-box 
layer can be affected. For the third S-box layer, only some S-boxes are useful 
(45 for the 7-variable systems, 34 for the 8- variable systems). This step then 
requires 7 + 4 x 45 = 187 (resp. 7 + 4 x 34 = 143) XORs for the 7-variable (resp. 
8- variable) systems. 

Step 7 requires to evaluate the constant coefficients of the system. These coef- 
ficients can be recovered by computing some parts of the output of the compres- 
sion function, knowing the output of the second round. This consists in applying 
the diffusion operations and the feedforward. To compute the feedforward one 
needs to invert N eq bits of the first round constant addition. This step costs 
473 + 54 + 28 = 555 (resp. 328 + 37 + 22 = 387) operations per system. 

Step 8 consists in recovering the coefficients of degree 1 monomials. This can 
be achieved by studying the propagation of the variables through the S-boxes. 
For the 7-variable (resp. 8-variable) systems the inputs of 17 (resp. 20) S-boxes 
depend on the variables before the second substitution layer. For some of them, 
only some output bits need to be computed. For each 7-variable (resp. 8- variable) 
system, this requires 210 (resp. 200) operations. The propagation through the 
second diffusion layer to the inputs of the useful third round S-boxes requires 60 
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(resp. 46) XORs. In the third round, the outputs of 45 (resp. 34) S-boxes affect 
the Equation bits. To evaluate the coefficients of the variables, 3 cases can occur 
for the third round S-box layer: 

1 . The input of the S-box does not depend on Variables. Then the output does 
not depend on the Variables either, and no computation is required. This 
occurs for 5 (resp. 9) S-boxes. 

2. One input bit can a priori depend on one or several Variables. Then its output 
depend on the same Variables as its input, and computing the coefficients 
is equivalent to one S-box evaluation. This occurs for 31 (resp. 17) S-boxes, 
leading to a complexity of 364 (resp. 155) operations. 

3. Two input bits can a priori depend on the Variables. As the dependences 
are not deterministic, 3 different cases of dependences can occur during the 
actual computation of the system. Each of them leads to a different propaga- 
tion of the difference. If the adversary uses parallelism, he needs to compute 
the dependences for the 3 cases, leading to a complexity equivalent to 3 S-box 
computations. This occurs for 6 (resp. 8) S-boxes, leading to a complexity 
of 211 (resp. 213). 

The linear coefficients can be derived using simple operations from the bits 
representing the propagation of the variables through the second and the third 
S-box layer. The overall commplexity to retrieve the coefficients from these bits 
is then at most 125 (resp. 101) operations. 

Putting everything together, the average costs to compute the coefficients of 
an equation system are: 

- 5248 + 1120 + 187 + 210 + 60 + 555 + 364 + 211 + 125 = 1737 operations for 

7- variable systems, 

- 4852 + 1120 + 143 + 200 + 46 + 387 + 155 + 213 + 101 = 1268 operations for 

8- variable systems, 

Overall, the cost to construct the 7 variable system is about T^ ad = 2 -2 - 59 com- 
pression evaluations. The complexity to build the 8-variable system is T^ ild = 
2 -3 05 compression evaluations. 

Step 9 then consists in solving the equation system, which complexity T so i ve 
is small compared to the evaluation of the compression function. We use the 
Gauss algorithm. Therefore the complexity is as follows: for each of the N var 
variables, for each of the N eq equations, we compute at most (N var + 1) XORs, 
and the average number of XORs is N var j 2. This leads to an overall complexity 
of N var (N var + l)N eq /2 operations per system, which means 392 operations for 
7-variable systems and 396 operations for 8- variable systems. One can therefore 
bound the complexity of this step by T^J ve = 2 -4 ' 74 and T^ ve = 2 -4 ' 72 . 

The success probability of step 10 is then 2 Ne ^~ 256 = 2 -242 , leading to an 
overall complexity of 2 256 ~ Neq T test compression evaluations (the complexity to 
test one solution is T test ~ 1). Each system of equations enables to test 2 Nvar 



32 


T. Fuhr 


values of the chaining variable, therefore one needs to compute about 2 256 Nvar 
systems. The best pseudo-preimage algorithm is then obtained for 8 variables: 

T preimage = ^^build + T solve ) + ~ 2 246 ' 1 2 * * . (3) 

Variability. We also need to make sure that the search space is big enough to 
find the second preimages we need. We can only detect a certain type of pseudo 
preimages for a given output, that can be defined by the conditions that are 
imposed on the input message block and chaining variable. For 8 variables, we 
have 24 such bit conditions (16 on the message block and 8 on the chaining 
variable). The original search space has a size 2 256+32 = 2 288 , we then expect 
2288-24 _ 2264 C0U pi es (C,m) to fulfill these conditions. We also need to find 
8 auxliary variables. An auxiliary variable can be defined when one condition 
on the message block and one condition on the chaining variable are verified 
(according to Section EJ. As we have 32 potential auxiliary variables, the proba- 
bility that at least 8 of them can be chosen is at least 1/2. Therefore we expect 
at least 2 263 candidates, among which 2 7 are pseudo-preimages of a given value. 
This argument confirms that the search space is big enough to make the attack 
work. 

6 Second Preimages for the Full Hamsi-256 

As we showed in Section 0 pseudo preimages can be found for the Heims i-256 
compression function with a complexity about 2 246 ' 2 compression evaluations. 
This threatens the security of Hamsi-256, because one can use a pseudo preimage 
algorithm to build a second preimage finding algorithm using a basic meet-in-the 
middle approach. In this section we describe this both this basic method and 
show how to improve it. The main idea is the following: the complexity of the 
pseudo-preimage attack is dominated by the complexity of the construction of 
the equation systems, especially the complexity to recover the coefficients of the 
equations. In the general second preimage setting, one can then try to invert one 
of the intermediate chaining variables. As the coefficients of the linear system 
are the same whatever the value of the chaining variable we try to invert, we 
can spare some computation. 


6.1 A Basic Second Preimage Algorithm 

The most natural idea to generate second preimages using our pseudo preimages 
algorithm consists in using a basic meet-in-the middle approach. The algorithm 
is the following : 

1. Compute 2 5 9 pseudo preimages of the chaining value after the ninth message 
block. 

2. Compute intermediate hash values for sequences of 8 message blocks until 

reaching one of the values computed in step 1. The expected number of such 

messages is around 2 251 1 . 
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This would lead to a second preimage attack with a complexity about 2 x 
2251.1 _ 2252.1 However, the original message must be contain at least 9 blocks, 
so as to make sure that we have enough variability to build a second preimage 
of an equivalent length. An improvement of our technique would lead to an 
improvement of the best second preimage attacks on Hamsi-256. 


6.2 Pseudo Preimages in a Set of Images 

In the first step of the basic attack, a large amount of the computation time is 
consumed to generate the systems. If one has several targets, this computation 
can be done only once. In this section we will describe another algorithm that 
benefits from this remark. 

We will now describe how to find pseudo preimages of an element of a set of 
N images, which is an easier problem than finding a pseudo preimage of given 
element. In our method, the computation of the coefficients of the linear equation 
systems only depends on the target by xoring it to the constant coefficients. We 
can therefore use a similar method to compute a preimage of an element of a 
set by computing the coefficients oniy once, and trying to solve the system of 
equations for all the N elements of the set. 

The beginning of the resolution of the equation system is also common for 
all the targets. One aim at solving the equation i/i = Ax, where £ I are 

constant binary vectors of size N eq , x is an unknown binar vector of size N var 
and A is a fixed binay matrix. One can then begin with the computation of the 
Gauss algorithm on a basis of the y space. The complexity of this part can be 
denoted Ti nver t . A similar argument than the one used in previous section allows 
to estimate it as N eq N var (N eq + N var )/2. The end of the resolution consists in 
checking whether the remaining equations are verified. In other words, testing 
at most N eq linear relations on the ouptut bits, leading to a complexity of at 
most T c heck = Neq elementary operations. Therefore this step can be overlooked 
in numerical applications. 

As a result, the complexity of the new algorithm is derived from equation 

o256-JV„ or 

Tset(N) = (T build + T invert ) + 2 256 ~ Nvar T chec k + 2 256 ~ N ° q T test (4) 

We also have T^ vert « 1029 operations, and T^ vert « 836 operations, which 
means T^ vert « 2 -3,36 , ad T^ vert « 2 -3 - 65 compression evaluations. 

6.3 Second Preimages for Short Messages 

We can now consider the following algorithm. It requires that the original mes- 
sage contains at least 10 complete blocks. If this condition is fulfilled, its com- 
plexity does not depend on the message length. Therefore it is more efficient 
than Kelsey and Schneier’s attack only for short messages. 

We consider a message M = mo|| . . . ||mg|| . . . \ \rnt and try to find a second 
preimage of the digest of M. Therefore we consider the chaining variable h\o = 


34 


T. Fuhr 


TioilV, nig, . . . ,m 9 ). First, we try to find x pseudo preimages of hio, namely 
(hg )X , m 9 ,i), . . . , (hg.x.rtig.x). We use our 8-variable set. The complexity of this 
step is about: 

T x (x) = x x (2 248 (T 6 (8 ] W + T s (8) J + 2 245 T t ( e 8) t ) « 2 246 - 2 x x (5) 


In a second step, starting from S = { hg , hgp, . . . , h, 9 )X } where hg.o = J~g(IV. mo, 
. . . , rn % ) , we search y pseudo preimages of one element of the set S, (hs.i ■ tos.i) i 
. . . , {hs, y , mg t y). For this step we use 7-variable equation systems. The complexity 
of the second step is: 


Ta(® , y) = (^C*2m + + 2 242 T/ e 7 i t ) 


+ 2 24 


(6) 


Finally, using a probabilistic approach, we try to find (toq|| . . . \\m2j) ^ 
(mo 1 1 ... 1 1 7717 ) such that the resulting chaining variable h% = Fi(IV, nig ,m?) 
collides with one of the hsj with hg.o = !F%(1V, mo, ■ ■ ■ , m-j). The complexity of 
this step is then: 

p256 

U y ) = VT - 1 - (7) 


Let us denote ms,o — m a and mg.o = mg. For j as defined above, there exists 
i such that !F(hs,j,msj) = hgy. As a result, !F\o(IV, mg, . . . ,m^,ms,j,mg t i) = 
hio, and 

H(mo\\ . . .\\m^\\m SJ \\mg ti \\ . . .\\rne,) = H(M). ( 8 ) 


This leads to a second preimage for 'H(rn) with complexity 


2 2i71 v o 256 

T(x,y) = T x (x) + T 2 ( x, y) + T 3 (y) » 2 246 - 2 xx + + 2 242 x y + (9) 


For Hamsi-256 the best compromise is found when the complexity of all these 
steps are almost the same. For x = 11 and y = 71 we then have : 


T x (z) « 2 249 m ,T 2 (x,y) t* 2 249 66 ,T 3 (y) » 2 249 - 83 
This leads to a complexity of about T(x, y) ss 2 251 ' 30 compression evaluations. 


7 The Kelsey-Schneier Second Preimage Attack 

In previous sections we described a second preimage attack that runs faster than 
generic attacks on hash functions. To be exhaustive we also need to argue that 
it runs faster than generic attacks on the domain extender used to design Hamsi. 

In 0, Kelsey and Schneier showed a generic attack on single-pipe Merkle- 
Damgard hash functions. To achieve it, they use either a multicollision finding 
algorithm created by Joux 0, or fixed points. As Hamsi-256 is based on the 
Merkle-Damgard domain extender, this attack can also be used against Hamsi- 
256. However, it makes use of very short message blocks, that do not give the ad- 
versary enough freedom degrees to apply the attack to Hamsi-256. Furthermore, 
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the specific design of the compression function does not enable an adversary to 
generate fixed points easily. 

In this Section we describe a modified version of the attack, so as to make it 
applicable to Hamsi-256. The modification is trivial, however the complexity of 
the new attack slightly differs from the complexity of the original attack. The 
aim of this Section is therefore to find an estimation of the complexity of the 
best generic attack against Hamsi-256. 

7.1 Description of the Attack 

Definition 1. A ( p,q ) expandable message for a Merkle-Damgard hash function 
hi is a set of (q — p + 1) messages (p P) . . . , p q ) such that 

1. ht(p p ) = H{p p+ 1) = . . . = hl(p q ) = h. 

2. \/i £ {p, . . . , q}, pi contains exactly i blocks after the padding. 

The original second preimage attack works as follows. Let us now suppose that 
we want to find a second preimage of the Hamsi-256 digest of an f-block message 
M = too||toi||...||to^_i . We aim at finding a message M' such that H(M) = 
? i(M'). We look for M' such that M and M' have the same length. 

1. Generate a (p, q) expandable message for hi, for some appropriate values of 
p and q that will be discussed later on. 

2. Choose the common digest value h as chaining variable, and compute the 
compression function for random sequences of 8 message blocks, to find 
(mf, . . . , mg) such that F&(h,m\, . . . ,m%) is one of the chaining values in- 
volved in the computation of hl(M), CVi = F t (IV, mo , . . . , mf) for i £ 
{p + 8, . . . , q + 8}. 

3. Compute Pjs- The message M 1 = || . . . ||mg||m.j+i||..||m^_i is a 

second preimage of hl(M). 

7.2 Expandable Messages for Hamsi-256 

Expandable messages are generated using the multicollision algorithm of 0. 
Expandable messages of size 2 k can be generated by iterating the following 
search. 

Set Co = IV (the initialization vector of Heims i-256). For all i in {0, . . . , k — 
1}, find two sequences of message blocks o = (a,,i, . . . , aj lQi ) and = 
i, . . . , b it0l . + 2 i) such that : 

C i+ i = F a (C h a a ijai ) = F ai+2 * (Q, b iA , . . . , b i>cti+2i ). 

Let p = a ii an d j G {p, . . . , r + 2 k — 1}. We can write j = p + ^*2*, 

with Xi £ {0, 1}. Then the sequence pj = (Lo iXo , . . . ^ as length j, and 

Fj(Co, pj) = 6\. In the generic case, Kelsey and Schneier take oti 1 for all i. 
The cost of each step of the search is then about 2"/ 2 because of the birthday 
paradox, leading to an overall complexity of about fc2"/ 2 . 
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Hamsi-256 has the specific property that the message blocks are small com- 
pared to the chaining variables. Therefore, if the attacker chooses a* = 1 , he 
can generate only 2 32 values for the sequence L,;o. In the first iterations, the 
probality to find a collision is very small, and the cost of iterations for i > 3 
is about 2 256-32 = 2 224 . To keep an equivalent complexity, one then needs to 
choose on = 4 for each value of i leading to a (Ak, 4fc+2 fc — 1) expandable message 
after about /c2 128 compression evaluations. 


7.3 Complexity Evaluation 

In the case of Hamsi-256 we choose p = Ak and q = Ak + 2 fe — 1 such that 
q + 8 < £ — 1. The last two compression functions of the computation of 7 i(M) 
involve message blocks representing the bitlength of to, and the block before 
contains padding bits so we do not take the resulting chaining value into account. 

The cost of the expandable message generation is then about /c2 128 compres- 
sion function evaluations. The average number of trials for the second step is 
then about 2 p+1 = 2 256_fe . The message i-ij-s can be recovered easily. The 
overall complexity of the attack is then: 

T(k) = k2 128 + 2 256-fe (10) 

The complexity of the attack is the same as the one found by Kelsey and Schneier, 
but the condition on the message length is slightly different (£ > Ak + 2 fc + 8 
instead of l > k + 2 fc + 1). As a result, our attack described in previous Section 
is more efficient than this generic attack for messages which length is between 
10 and 96 blocks. 

7.4 Possible Improvements 

Some small improvement of our second preimage attack could be obtained by 
mixing the attack on the domain extender by Kelsey and Schneier with our 
pseudo preimage finding algorithm. For example, one could try to invert some of 
the intermediate chaining variables involved in the computation of 'H.(m) between 
the two steps of the generic attack, so as to increase the potential number of 
targets for the second phase. Such an attack could however only be efficient 
for short messages, as the interest of our pseudo preimage algorithm is that it 
discards some values of ( C , to) due to linear relations. If the target space becomes 
larger than 2 14 , almost every value of !F{rn, C) will be computed anyway, and 
applying our technique is pointless. 

8 Conclusion and Openings 

In this article we displayed the first attack on Hamsi-256 that runs faster than 
generic attacks on hash functions. Though it has some similarities with differen- 
tial attacks, such as the study of the propagation of variables or the reduction 
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of the search space by setting some conditions, it is mainly an algebraic at- 
tack. For short messages, our algorithm is faster than generic attacks on the the 
Merkle-Damgard domain extender as used for Hamsi. While the attack complex- 
ity does not represent any practical immediate threat for the use of Hamsi-256, 
it enlightens some weaknesses in its design. 
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Abstract. In this paper, we present non- full- active Super-Sbox analy- 
sis which can detect non-ideal properties of a class of AES-based per- 
mutations with a low complexity. We apply this framework to SHA-3 
round-2 candidates ECHO and Grpstl. The first application is for the 
full-round (8-round) ECHO permutation, which is a building block for 
256-bit and 224-bit output sizes. By combining several observations spe- 
cific to ECHO, our attack detects a non- ideal property with a time com- 
plexity of 2 182 and 2 37 amount of memory. The complexity, especially in 
terms of the product of time and memory, is drastically reduced from 
the previous best attack which required 2 512 x 2 512 . Note that this result 
does not impact the security of the ECHO compression function nor the 
overall hash function. We also show that our method can detect non- 
ideal properties of the 8-round Gr0stl-256 permutation with a practical 
complexity, and finally show that our approach improves a semi-free- 
start collision attack on the 7-round Gr0stl-512 compression function. 
Our approach is based on a series of attacks on AES-based hash func- 
tions such as rebound attack and Super-Sbox analysis. The core idea is 
using a new differential path consisting of only non-full-active states. 

Keywords: AES-based permutation, ECHO, Grpstl, SHA-3, Super-Sbox. 


1 Introduction 

Hash functions are used in the wide range of cryptographic applications. Since 
the break of MD5 and SHA-1 f I I2j , cryptographers have been seeking secure and 
efficient hash constructions. Prom these backgrounds, NIST started the compe- 
tition to determine the future standard hash function called SHA-3 p . 

In the SHA-3 competition, 14 algorithms are being considered as round 2 can- 
didates. At the present time, none of them has been seriously broken in terms of 
the important security properties such as collision resistance or preimage resis- 
tance. However, regarding some candidates, building blocks such as compression 
functions or internal permutations have been shown that they do not satisfy 

M. Abe (Ed.): ASIACRYPT 2010, LNCS 6477, pp. .38 [55] 2010. 
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ideal properties. Although it does not damage the security of hash functions im- 
mediately, the analyses against building blocks are useful to know the potential 
weakness, security margin, validity of the security proof, and so on. 

Many of the SHA-3 candidates are based on the design strategy of AES j ll5| . 
Recently, an outstanding progress in the cryptanalysis against AES-based hash 
functions or permutations has been made {6l7l8l9lfUlllll2ll3lf4ll5llfi| - Specif- 
ically, Rebound attack proposed by Mendel et al. at FSE 2009 0, Start-from- 
the-Middle attack proposed by Mendel et al. at SAC 2009 0, and Super-Sbox 
analysis applied to the rebound attack by Lamberger et al. at Asiacrypt 2009 
and by Gilbert and Peyrin at FSE 2010 0 have wide range of their ap- 
plications and are powerful analytic tools. In fact, the rebound based attack 
has been applied to several SHA-3-candidates {7181911 011 111 211 311 411 7j such as 
Grpstl HE!, ECHO 03, JH 03, Cheetah [21 , LANE [22 , Twister 03- It has 
also been applied to other hash functions roiQiifJioi such as Whirlpool m 
and AES hashing modes. 

ECHO 03, designed by Benadjila et al, is one of the round 2 algorithms in 
the SHA-3 competition using a 2048-bit AES-based permutation. The number 
of rounds in the permutation is 8 for ECHO-224 and -256, and 10 for ECHO- 
384 and -512. At FSE 2010, Gilbert and Peyrin showed that the full-round 
(8-round) ECHO permutation could be distinguished from an ideal permutation 
with time of 2 768 and memory of 2 512 by using the Super-Sbox analysis 0. After 
that, Peyrin {2 512 6 j improved this attack which required 2 512 in both time and 
memory. Because the 8-round ECHO permutation is a building block to generate 
256-bit or 224-bit hash values and compression part from 2048-bits to 256- or 
224-bits is not considered, the impact of this attack seems almost negligible. In 
addition, as long as it is evaluated by the framework of 0, the time or memory 
cannot be below 2 512 0. To sum up, there is no powerful analysis on the ECHO 
hash function nor compression function. Even though attacks on the permutation 
reached full-round, the complexity is too high. 

Note that the reduced ECHO compression function is attack by Peyrin 03 . 
Recently, Schlaffer presented the analysis on ECHO m and Ideguchi et al. 
presented the analysis on Grpstl [2%] . These results are listed in Table 0 


Our Contributions 

In this paper, we present non- full- active Super-Sbox analysis which can detect 
non-ideal properties of a class of AES-based permutations with a low complexity. 
To demonstrate its applicability, we first apply the non-full-active Super-Sbox 
analysis to the 8-round Gr0stl-256 permutation, which is an AES-based permu- 
tation consisting of the 8x8 state. This attack can detect a non- ideal property 
of the 8-round Gr0stl-256 permutation with time of 2 48 and memory of 2 8 , while 
detecting the same property of an ideal permutation requires 2 96 . We then apply 
this framework to the full-round (8-round) ECHO permutation by optimizing the 
attack with taking several properties specific to ECHO into account. This attack 

1 Reasons of this limitation are explained in 0 Section 4.4] and 01 Appendix B]. 
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Table 1. Comparison of attack results on ECHO and on Grpstl 


Target 

Rounds 

Time 

Memory 

Attack Type 

Paper 


8 (full) 

2 768 

2 512 

Distinguisher 

[9] 

ECHO-256/-224 

8 (full) 

2 5i2 

2 s12 

Distinguisher 

[26] 

Permutation 

8 (full) 

2 182 

2 37 

Distinguisher 

Sect. 5.2 


7 

2 128 

2 32 

Distinguisher 

[26] 


7 

2 118 

2 38 

Distinguisher 

Append. A 

ECHO-256/-224 

3 

2 64 

2 64 

Distinguisher 

[26] 

Single-pipe Comp. Func. 

3 

2 32 

2 38 

Distinguisher 

Append. B 

Gr0stl-256 

8 

2 112 

2 64 

Distinguisher 

[9] 

Permutation 

8 

2 64 

2 64 

Distinguisher 

[28] 


8 

2 48 

2 s 

Distinguisher 

Sect. 4.4 

Gr0stl-512 

7 

2 152 

2 64 

Semi-free-start coll. 

[17] 

Comp. Function 

7 

2 162 

2 56 

Semi-free-start coll. 

Sect. 5.3 

ECHO-256 

4 

2 64 

2 64 

Collision 

[27] 

Hash Function 

5 

2 96 

2 64 

Distinguisher 

[27] 

ECHO-256 / -512 

3/3 

2 64 /2 96 

2 64 /2 64 

Semi-free-start coll. 

[26] 

Comp. Function 

7/7 

2 107 /2 106 

2 64 /2 64 

Distinguisher 

[27] 

Gr0stl-256 Comp. Func. 

10 (full) 

2 192 

2 64 

Distinguisher 

[26] 

Gr0stl-512 Comp. Func. 

11 

2 640 

2 64 

Distinguisher 

[26] 


can detect a non-ideal property of the 8-round ECHO permutation with time of 
2 182 and memory of 2 37 , while detecting the same property of an ideal permuta- 
tion requires 2 256 . Note that the 8-round ECHO permutation is a building block 
for ECHO-256 and ECHO-224. As far as we know, this is the first result on the 
full-round ECHO permutation which can work with both time and memory (or 
product of these factors) below 2 256 (or 2 224 ). Note, however, that the role of the 
convolution in the ECHO compression function is very important for its security 
and our distinguisher cannot be extended to the ECHO compression function, 
nor the hash function. Finally, we show that our approach also improves the 
amount of memory for the semi-free-start collision attack on the 7-round Grpstl- 
512 compression function to 2 56 from 2 64 . In appendices, we show new results 
on the reduced-round ECHO permutation and compression function. An attack 
on the 7-round ECHO permutation and a low complexity distinguisher on the 
3-round single-pipe ECHO-256 compression function are included. The attack 
results are summarized in Table Q The technical details in this paper are as 
follows. 

Low complexity distinguishers on AES-based permutations. We present 
a new strategy of the Super-Sbox analysis which can work for a class of 
AES-based permutations in generic. The core idea is using a differential 
path whose inbound part, in particular inside the Super-Sbox, consists of 
only non-full-active states. Regarding non-active bytes, the difference is al- 
ways 0 through the SubBytes and InverseSubBytes operations regardless of 
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its value. Hence, attackers can freely choose the value without breaking the 
differential path. This freedom degrees enable attackers to control values 
(or differences through the SubBytes operation) of other bytes inside the 
Super-Sbox to be connected efficiently. 

Observations on the property of ECHO permutation. We explain two 
new observations on the ECHO permutation when dealing with the byte- wise 
truncated differential path. First, we find that the linearity of the jointed two 
linear operations (MixColumns inside the BigSB and the following BigMC) 
should be taken into account in order to correctly calculate the complexity 
for a certain differential path. Second, there are freedom of the differential 
paths inside BigSB available to attackers to reduce the complexity. 

In Section |21 we describe AES-permutation, ECHO, and Grpstl. In Section 0 
we introduce previous work. In Section^ we present the framework of non- full- 
active Super-Sbox analysis and show its application to the 8-round Gr0stl-256 
permutation. In Section 0 we attack the full-round ECHO permutation and the 
7-round Gr0stl-512 compression function. In Section El we conclude this paper. 
Results on other variants of ECHO are described in appendices. 

2 Specifications 

AES (4K1 is a 128-bit block-cipher represented by a 4 x 4 byte state. Here we 
consider a general AES-based permutation with r x r state where each element 
is a c-bit word. The row and column positions of a word/byte is denoted by i 
and j, respectively where i,j € [0, r— 1]. As shown in Fig. |T| the state is updated 
by four operations in a round of the AES-based permutation. 

— SubBytes (SB): non-linear word/byte substitution according to an S-box. 

— ShiftRows (SR): each word/byte at row j is rotated to left by j positions. 

— MixColumns (MC): multiply each column by a MDS matrix. 

— AddRoundKey (AK): bit-wise XOR of the current state and a constant. 


2.1 ECHO Permutation 

ECHO d designed by Benadjila et al. is a hash function using a 2048-bit AES- 
based permutation as its building block. The permutation consists of 8 rounds 
for ECHO-224 and -256, and 10-rounds for ECHO-384 and -512. The 2048-bit 



Fig. 1 . The operations inside a round of AES-based permutation 
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Fig. 2. One round of ECHO permutation Fig. 3. Notations for ECHO BigWords 


internal state can be represented by a 4 x 4 matrix where each element is a 128- 
bit AES state called a BigWord. The round operation in the ECHO permutation 
manipulates 128-bit BigWords instead of 8-bit bytes. One round of the ECHO 
permutation shown in Fig. EJhas three operations: 

— BigSB: substituting each BigWord by applying two AES-rounds. 

— BigSR: each BigWord at row j is rotated to left by j positions. 

— BigMC: multiply each 4 bytes of the ECHO state by a MDS matrix. 

To simplify the dedicated analysis on ECHO, as introduced by j2H| . we denote 
4 types of byte-wise truncated differences of the BigWord as shown in Fig. E3 


2.2 Grpstl Permutation and Compression Function 

Grpstl designed by Gauravaram et al. (IB1 is another hash function built upon 
the AES-based permutations. Gr0stl-256 permutation uses an 8 x 8 state where 
each element is an 8-bit byte, while Gr0stl-512 permutation uses an 8 x 16 state. 
The number of rounds in the permutation is 10 for Gr0stl-224 and -256, and 14 
for Gr0stl-384 and -512. The Gr0stl-512 uses different ShiftRows operation from 
Gr0stl-256, where the bytes at row 7 are rotated to left by 11 positions. 

3 Previous Work 

Rebound attack was proposed by Mendel et al. at FSE 2009 (Zj, which is useful 
to analyze AES-based permutations. It divides a differential path into two parts; 
inbound and outbound phases. Inbound phase controls the most expensive part 
of the differential path with a very low average complexity, then outbound path 
is satisfied probabilistically. It needs to make sure the total number of starting 
points generated at the inbound phase is enough to fulfill the outbound path. 

Start-from-the-Middle attack was proposed by Mendel et al. at SAC 2009 0 . 
It improves the rebound attack by extending the number of controlled rounds 
from 2 to 3. The idea is to utilize the independence and the freedom of each 
search procedure as much as possible. As a result, without increasing the time 
and memory, 3 rounds of the differential path can be fulfilled efficiently. 

Super-Sbox analysis for the rebound attack was independently proposed by 
Lamberger et al. at Asiacrypt 2009 and by Gilbert and Peyrin at FSE 2010 |2|. 
Super-Sbox combines 2 non-linear layers and 1 diffusion layer to 1 non-linear 
layer with a larger substitution-box. It can extend the inbound phase by one 
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more round. As a side effect, attackers need to spend more time and memory to 
exploit the differential property of the Super-Sbox. 

Peyrin proposed a differential path for ECHO with an increased granularity 
m- This can reduce the number of active bytes inside an active BigWord, and 
thus the attack complexity can be reduced. 

4 Framework of Non-full-active Super-Sbox Analysis 

In this section, we use the following notations: 

r: a number of rows and columns in a state, 
c: a number of bits of each cell (word) in a state. 

s: a number of non-active columns in the initial state of the differential path. 
Col(x ): a state where x columns are fully active, namely, rxx bytes are active. 
SR(Col(x)), SR~ 1 (Col(x)): a state where Col( x) is passed over SR and SR -1 . 
F: a state where all bytes are active. 

x/y: a state where y bytes become non-active from a state x. 

In the Super-Sbox analysis, as long as we follow the strategy of Gilbert and 
Peyrin |2|, the attack complexity is lower-bounded by 2 rc . In this section, we 
present a new framework called non-full-active Super-Sbox analysis which can 
detect non-ideal properties with a lower complexity. We first make a truncated 
differential path whose inbound part, in particular inside the Super-Sbox, con- 
sists of non-full-active states. For non-active bytes, the differential transition 0 
to 0 is always held regardless of its value, and thus attackers can freely choose 
the value without breaking the path. This gives attackers the freedom degrees 
to adjust other bytes inside the Super-Sbox. 

Non-full-active Super-Sbox analysis can be applied to AES-based permuta- 
tions. We assume that the MixColumns operation is composed of MDS matrix 
M ■ Namely, the sum of the number of active bytes in the input and output states 
is greater than or equal to r + 1, otherwise 0. 


4.1 Non-full-active Truncated Differential Path 

We show a generic description of the non-full-active differential path. The dif- 
ferential path has a parameter s, which is the number of non-active columns in 
the initial state. The parameter s determines the complexity of the attack. The 
differential path is depicted in Fig.^with instantiating the case r = 8 and s = 3. 

To make the differential path, we start from the state after the 2nd and 5th 
rounds, whose states are Col(l)/s and S'R _1 (C'oZ(l))/(r — (s + l)), respectively. 
The differential propagation through the 3rd round in forward and the 5th round 
in backward are deterministic, which result in F/Col(s) and F / SR~ l (Col(r — 
(s + 1))), respectively. We then need to check that the differential propagation 
through the MixColumns operation in the 4th round is consistent with the MDS 
property. Because input and output states have r—s and r — (r — (s + 1)) active 
bytes in each column respectively, the sum of active bytes in the input and output 
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Fig. 4. (Bottom) New differential path for 8-round AES-based permutations with 
instantiating r = 8 and s = 3. (Top) Previous path for the Super-Sbox analysis 0. 


is r — s + r— (r — (s + 1)) = r+ 1. Hence, the differential path is consistent with 
the MDS property. Next, we determine the differential propagation through the 
6th round in forward. The number of active bytes should be reduced as much as 
possible after the 6th round in order to make the target non- ideal property hard 
for an ideal permutation. Hence, we maximize the number of non-active bytes 
with satisfying the MDS property, which results in the state Col(l)/s. Similarly, 
we determine the differential propagation through the 2nd round in backward. 
We make the number of active bytes to be the same as the state after the 6th 
rounc0, which results in SR~ 1 (Col(l))/s. The rest of the path is deterministic. 


4.2 Low Complexity Inbound Phase 

We explain how to compute the inbound phase for our path. Details of states 
inside the inbound phase are shown in Fig. 0 with denoting each state by 
where 0 < i < 8. The inbound phase starts from the state after the SubBytes in 
the 3rd round (#0) and the state input to the 6th round (#8). The goal of the 
inbound phase is finding paired values satisfying the differential path through 
#0 to #8. We find 2 C such paired values with 2 C computations and 2 C memory. 

States #0 and #8 include r — s and s + 1 active bytes, respectively. First, 
we choose and fix the differences of all active bytes in #0 and the differences 
of s active bytes out of s + 1 active bytes in #8. Then, for each 2 C possible 
differences of the last active byte in #8, we aim to store a corresponding paired 
value. Due to the linearity of the operations, we can compute the corresponding 
differences in state #2 and corresponding s-byte differences in each column of 
#6. The Super-Sbox analysis can be applied between #2 and #6, namely we can 
compute them column by column independently. Previous Super-Sbox analysis 
spent 2 rc of time and 2 rc of memory for this computation, while we efficiently 
connect these two states by using the freedom degrees of the non-active states. 
In the following, we only show the Super-Sbox computations in the left most 
column, which is emphasized with bold squares in Fig. 0 The other columns can 
be connected with the same procedure. 

2 With a lower probability, the number of active bytes can be smaller. However, this 
will not lead to any advantage in the distinguishing attack. 
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Fig. 5. Inbound phase for the new differential path with non-full-active states 



Fig. 6. Computation procedures inside each Super-Sbox 


Computation procedure inside the Super-Sbox. The operations inside the 
Super-Sbox are shown in Fig. El Because the ShiftRows operation does not give 
any impact inside the Super-Sbox, we omit it in Fig. El To stress that each Super- 
Sbox is computed column by column, we denote the states inside the Super-Sbox 
by #2A, #4A, #5A, and #6A in Fig. El The goal of this procedure is efficiently 
producing 2 C paired values which satisfy the fixed part of the differences of #2A 
and #6A. This procedure finds 2 C paired values with a time complexity of 2 C 
and 2 C memory. The attack procedure is as follows. 

0. For each active byte whose difference is fixed in #2A and #6A, compute SB 
and Inverse-SB for all possible 2 C values and a fixed difference. Store these 
2 C values and corresponding output differences as a look up table. We sort 
tables according to the output differences so that table look-up only requires 
1 memory access. As a result, (r — s) + s = r look-up tables are prepared. 

1. Choose a difference of one active byte in #4A. (The top byte of #4A is 
chosen in Fig. El) 

2. We have other r—s—1 active bytes in #4A and need to make sure the same 
number of bytes in #5A are non-active. This is done by solving a system 
of equations and we will obtain one solution of the system. As a result, 
differences in #4A and #5A become consistent and are uniquely fixed. 
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3. From a fixed difference of #4A and the given difference of #2A, for each 
active byte, we obtain a pair of values which connects these differences by 
looking up tables generated in Step 0. Do the same for fixed s-byte differences 
of #6A and #5A. Note that values for non-active bytes are not fixed yet. 

4. Then we connect the values of active bytes of #4A and #5A. We use the 
freedom degrees of non-active bytes to effectively achieve this. There are s 
non-active bytes in #4A and s active bytes in #5A whose values are fixed 
in Step E3 By solving a system of equations, we can calculate the values of s 
non-active bytes in #4A so that the fixed s bytes of #5A can be consistent. 

5. With the fixed values in #4A, we compute the non-fixed active byte in #5A, 
and further compute the corresponding value in #6A. We store entire values 
and differences of states #2A and #6A in a table. 

6. We iterate Step 0 to Step02 c times by changing the difference of the chosen 
active byte in #4A. 

Complexity of inbound phase. We assume r and s are enough small com- 
pared to 2 C (e.g. r = 8,s = 3, and 2 C = 256 in Fig. 0. Step 0 requires 2 C 
computations and 2 C memory. Step 0 to Step El can be computed with a com- 
plexity of 1 (Based on the assumption, the cost for looking-up r tables and 
solving systems of equations of size s are ignored). Step 0 uses a memory of 1. 
Because Steps 0 to 0 are repeated 2 C times in Step 6, the complexity of this 
procedure is time 2 C and memory 2 C . Note that 2 C values and differences of the 
non-fixed active byte are stored in the table. Therefore, we obtain 1 solution on 
average for any difference of the non-fixed byte. 

After we finish the computation for all Super-Sboxes, we choose a difference 
of the non-fixed byte in #8 in Fig 0 For each of its possible 2 C differences, 
we compute the corresponding difference in #6, and obtain the value which 
connects #2 to #6 by looking up each Super-Sbox. Note, we obtain one solution 
on average for any pair of differences in #2 and #6. To sum up, we can obtain 
2 C starting points, which are solutions of the inbound phase, with time 2 C and 
memory 2 C . In other words, we obtain a starting point with time 1 on average. 


4.3 Outbound Phase and the Freedom Degrees 

After the inbound phase, we compute the outbound phase. The differential 
path described in Fig. 0 has two probabilistic differential propagations: 1) the 
backward computation through the 2nd round and 2) the forward computation 
through the 6th round. In both rounds, the MixColumns or InverseMixColumns 
operations need to produce s non-active bytes. Therefore, for each of these 
rounds, the success probability is 2 -cs . Finally, this attack requires 2 2cs starting 
points for the outbound, and each starting point is generated with time 1 on 
average. Hence, with a time 2 2cs , we find a pair following the differential path. 

We also need to confirm that the available freedom degree is enough. Our 
attack starts from the states #0 and #8 in Fig. 0 #0 and #8 include r — s and 
s+ 1 active bytes respectively, and thus we have 2 c b'+ 1 ) freedom degrees in total. 
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Table 2. The complexity to find a property with our attack and ideal permutation 


S12345678 
Ours 2 2c 2 4c 2 6c 2 8c 2 10c 2 12c 2 14c 2 16c 

Ideal 2^ 2 cr 2^ 2 2cr 2^ 2 3cr 2 Z i r 2 4cr 


Hence, as long as the parameter s satisfies 2 c ( r+ b > 2 2cs , which is converted to 
below, we have enough freedom degrees. 


4.4 Target Class of AES-Based Permutations and an Example 

Let us consider the complexity for an ideal permutation. The last MixColumns is 
not taken into account because it is fully linear. Hence, the problem is regarded 
as finding a crs-bit collision. A crs-bit collision can be found by the birthday 
attack because attackers have enough freedom degrees due to Eq. (QJ. Hence, 
the complexity for an ideal permutation is 2 ~s~ . The comparison of the non- full- 
active Super-Sbox analysis and the ideal case is shown in Table El 

From Table El we can see r > 4 is a condition so that our attack can work. 
Therefore, our attack cannot be applied to AES (r = 4). Note that the ECHO 
permutation is regarded as an AES-based permutation with r = 4 at a BigWord 
level. However, it has other structures and this enables us to greatly reduce the 
attack complexity on the ECHO permutation. See Section El for details. 

Let us consider an application for a real primitive. Gr0stl-256 uses an AES- 
based permutation with r = c = 8. In previous Super-Sbox analysis 0, the 
8-round permutation is distinguished with time 2 112 and memory 2 64 , which 
is too expensive to be implemented. In our attack, we choose s = 3, whose 
differential path is shown in Fig. El Consequently, from Table El we can detect a 
pair of values following the differential path with time 2 48 and 2 s memory, while 
finding a pair of values in an ideal permutation requires 2 96 , which is infeasible. 
Choosing other s is also possible as long as s < 4. 

5 Applications to ECHO and Grpstl 

5.1 New Observations on ECHO 

In this section, we explain several new observations on the ECHO permutation 
when dealing with the dedicated byte-wise differential path. 

Complexity analysis for jointed MixColumns and BigMC. In the ECHO 
permutation, 2-round AES permutation inside BigSB can be considered as a 
non-linear layer with Super-Sboxes and a diffusion layer consisting of ShiftRows, 
MixColumns and AddRoundKey. Note that from the second MixColumns inside 


48 


Y. Sasaki et al. 


Fig. 7 . A differential path for a 1-round ECHO permutation 

BigSB to the following BigMC are successively performed. We show that the 
linearity of jointed MixColumns and BigMC should be considered to correctly 
compute the complexity for certain differential paths. 

As an example, let us check the complexity for the differential path shown in 
Fig. 0 assuming the differences and real values at state #1 have full freedom. 
In the previous analysis Appendix B], the complexity for this differential 
path is likely to be divided into three parts and analyzed independently. State 
#1 to #2 can be fulfilled when the output of each active Super-Sbox has only 1 
active byte. Since there are totally 12 bytes required to be zero, the probability 
is regarded as 2 -96 . The complexity from #2 to #3 is 1. And since 12 bytes 
are required to be zero from #3 to #4, the probability is regarded as 2 -96 . As 
a result, the total probability is regarded as 2 -96 * 2 = 2 -192 . However we show 
that MixColumns and BigMC cannot be considered separately, and thus the 
correct probability needs to be reconsidered. 

We can see that the freedom of the difference for state #2 or #3 is at most 2 32 , 
since #2 has only 4 active bytes. As a contradiction for the previous analysis, 
the freedom of difference at #3 (2 32 ) seems impossible to fulfill the differential 
propagation to #4 (2 -96 ). However, we show that this propagation is fulfilled 
only with a probability of 2“ 24 , and thus 2 32 freedom degrees are enough. 

This fact can be understood from two directions. First, for a position-fixed 
active byte and the fixed MDS matrix used in MixColumns between #2 and 
#3, the 4 active bytes inside each active BigWord at #3 has a fixed linear 
relationship. Then if BigMC generates the required difference at #4 for one of 
4 active-byte positions with a probability of 2 -24 (e.g. 4 top-left bytes from 4 
active BigWord at #3 generate 1 active byte at the top-left of state #4), the 
other three active-byte positions become the same differential pattern at #4 
with probability 1. Another interpretation is that one can switch the operation 
order, namely performing BigMC first and MixColumns later. When 4 active 
bytes in #2 generate only 1 active byte through BigMC with a probability of 
2 -24 , the differential path from #3 to #4 through MixColumns is fulfilled with 
probability 1. As a result, the total complexity is 2 96+24 = 2 120 instead of 2 192 . 
Note that this fact was independently discovered by m as SuperMixColumns. 

Freedom of the differential path inside BigSB. We can use the freedom of 
the differential path inside BigSB to reduce the attack complexity. Our attacks 
only care about the differences at the start and end states of the permutation. 
We notice that while keeping the differential path at a BigWord level, attackers 
can use the freedom of the differential paths at a byte level inside BigSB. 

We again use the differential path in Fig. 0 as an example. In order to fulfill 
the differential path, the 4 active bytes in state #2 must be at the same position 
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Fig. 9. Inbound phase for 8-round ECHO permutation 


inside the leftmost column of each BigWorc0. As a result, the differential path 
inside the BigSB has 4 choices for the positions of active bytes, and thus, the 
complexity for the differential path in Fig. 0 can be reduced from 2 120 to 2 118 . 

5.2 Attack on Full-Round ECHO Permutation 

Truncated Differential path. We use the differential path explained in Sec- 
tion 14.11 with parameter s = 1 at a BigWord level, which is shown in Fig. 0 
We use the notation BigSB[:r, y, z], where x,y,z £ {F, D, C, 1} to show that x, 
which is the input differential pattern to BigSB, changes into y after the 1st 
AES-round and into z after the 2nd AES-round. 

Inbound phase. The detailed differential path for the inbound phase is de- 
scribed in Fig. E| The inbound phase starts from a middle of BigSB in the 3rd 
round (#cc) and the input state to the 6th round (#/3), where the differential 
form in $a is C. We first choose and fix a difference of #cc and a difference 
of one of active BigWords of #/3, and compute the corresponding differences of 

3 If 4 active bytes in state #2 are in different positions inside each BigWord, the path 
for Fig- 0 becomes impossible. This may be used as a countermeasure of our attack. 
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#2 and #6. In the inbound phase, for each of 2 32 possible differences of the 
non-fixed active BigWord in #/?, we find a pair of values that satisfies the cho- 
sen differences of and #/3. The attack procedure follows the one explained 
in Section fOl with some optimization specific to ECHO. In the followings, we 
describe details to compute 1 Super-Sbox of ECHO with the size of 128 bits. 

0. Generate a look-up table for each 4 active BigWord with fixed difference 
in #2A and #6A, With the procedure in Section 14.21 this costs 2 128 time 
and 2 128 memory. jHJ pointed out that this could be performed efficiently 
by looking inside BigSB. The BigSB can be regarded as 4 Super-Sboxes 
(SB, SR, MC, AK, SB) with the size of 32 bits and the linear part (SR, MC, 
AK). Then, for a given output difference of BigSB, we can calculate back the 
corresponding difference of the linear part, and thus values are searched by 
looking up four 32-bit Super-Sboxes independently. Hence, look-up tables for 
4 BigWords can be generated by computing 16 Super-Sboxes, which requires 
16 x 2 32 in both time and memory. 

1 . Choose a difference of one active BigWord in #4A. 

2. By solving a system of equations, compute differences of 2 active BigWords 
in #4A so that 2 target BigWords in #5A can be non-active. 

3. For each active BigWord with fixed difference, obtain a pair of values which 
connects differences between #4A and #2A, and between #6A and #5A by 
looking up tables generated in Step 0. 

4. By solving a system of equations, calculate the value of 1 non-active BigWord 
in #4A so that the fixed value of 1 BigWord in #5A can be consistent. 

5. With the fixed paired values in #4A, compute the non-fixed active BigWord 
in #5A and #6A. Only if the computed difference of #6A has the diagonal 
form D, store entire values and differences of states #2A and #6A in a table. 

6. Iterate Steps Q to El 2 128 times by changing the difference of the chosen 
BigWord in #4A. 

In Step 0, look up tables are generated with 2 36 time and 2 36 memory. Steps Q 
to 0 are iterated 2 128 times. In Step El the computed difference has the diagonal 
form D with a probability of 2 32 /2 128 = 2 -96 , and thus we store 2 32 data after 
2 128 iterations. Hence, the complexity for 1 Super-Sbox with the size of 128 bits is 
2 128 computations and 2 36 + 2 32 memory. Note that we need 2 36 + (4 x 2 32 ) < 2 37 
memory for 4 Super-Sboxes. In the end, the inbound phase generates 2 32 starting 
points with 2 128 computations and 2 37 memory, which is 2 96 computations on 
average to generate 1 starting point. 

Success probability and freedom degrees. If details are considered, Step El 
succeeds only probabilistically. Look-up tables for each BigWord consists of 4 
Super-Sboxes with the size of 32 bits. Assume that each Super-Sbox has the 
same property as the AES Sbox. Namely, for a randomly given a pair of input 
and output differences, with a probability of approximately 2 _1 , there exists 
approximately 2 paired values satisfying the differences. In Step El we look- 
up 16 Super-Sboxes. Hence, the success probability is 2 -16 and we obtain 2 16 
paired values. We compute Steps 0| and El for all 2 16 paired values, and thus they 
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are computed 2 128 times in total by the 2 128 iteration of Step El Consequently, 
the total time and memory for the inbound phase will not change. Note that 
the estimation by using average numbers is imprecise only if the cost for the 
outbound phase is cheaper than the inbound phase. Because our attack iterates 
the inbound phase 2 54 times, the evaluation with average numbers is valid. 

We then check the freedom degrees. In the inbound phase, we can choose up 
to 2 96 differences for and 2 32 differences for the fixed active BigWord in #/3. 
Hence, the inbound phase can be iterated 2 128 times and thus we can generate 
2 160 starting points in maximum, which are enough to satisfy the outbound. 

Outbound phase. The differential path shown in Fig. E| includes two proba- 
bilistic differential propagations. 

InverseBigMC in the 2nd round. For each of diagonal positions, Inverse 
MixColumns outputs one non-active byte. This probability is (2 -8 ) 4 = 2 -32 . 
BigSB and BigMC in the 6th round. Observations explained in Section mi 
are applied for this part. The probability that the differences in 2 Big Words 
propagate as D — > 1 — > C is (2 -24 ) 2 = 2 -48 . By taking the freedom of 
the differential path inside BigSB into account, the probability becomes 
4 x 2 -48 = 2 -46 . In the BigMC operation, MC is computed for 4 positions. 
Due to the property of jointed MixColumns and BigMC operations, all of the 
4 positions will make 1 non-active byte with a probability of 2 -8 in total. As 
a result, the total success probability of the 6th round is 2 -46 x 2 -8 = 2 - 54 . 

In the end, the success probability of the outbound phase is 2 -32 x 2 -54 = 2 -86 . 

Total complexity and comparison with ideal case. In our attack, we 
generate 2 86 starting points and each of them is generated with 2 96 computations 
on average. Hence, the total complexity is 2 86 x 2 96 = 2 182 . Note that this attack 
requires 2 37 memory. On the other hand, for the ideal case, the property is 
regarded as finding a 512-bit collision. This requires 2 256 , which is much higher 
than our attack on ECHO. 


5.3 Improving Semi-free-start Collisions on 7-Round Gr0stl-512 

We improve the semi-free-start collision attack on 7-round Gr0stl-512 compres- 
sion function proposed by Mendel et al. dZj- It uses the previous Super-Sbox 
analysis and thus requires 2 64 memory. We show the memory can be reduced to 
2 56 with the non-full-active Super-Sbox analysis. Because our outbound phase 
is the same as HZ|, we only explain the inbound phase. 

In the Super-Sbox analysis with a rectangle state such as r x 2 r, several Super- 
Sboxes include non-active bytes. Hence, the framework explained in Section 0] 
can be applied and the data stored for each Super-Sbox can be reduced. In 
the previous differential path [EJ Fig. 7] shown in Fig. [TQ1 the 9th Super-Sbox 
at #Pi H takes a full-active column as input and output a full-active column, 
which requires 2 64 memory. In fact, this is a bottleneck in the entire attack. 
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Fig. 10. (Bottom) New differential path for Gr0stl-512. (Top) Previous path. 


We reduce the number of active bytes where we choose the differences at the 
initial step of the inbound phase (fylA). This results in a differential path where 
each Super-Sbox has at least one non-active byte. The new path is shown in 
Fig. m Each Super-Sbox can be computed based on the procedure explained 
in Section 14.21 which results in generating 2 56 starting points with 2 56 time and 
2 56 memory. Note that the differential propagation from j^P§ H to #Ps must be 
consistent with the MDS property. We confirmed that the amount of memory 
could not be below 2 56 due to this limitation. 

Because we reduced the number of active bytes, the freedom degree was also 
reduced. The success probability of the outbound phase is 2 -152 , and thus we 
need 2 152 starting points. Because our attack can choose 22-byte differences (8- 
byte for #P 2 Si? and 14-byte for #P 4 ) at the initial step, up to 2 8 * 22 = 2 176 
starting points can be produced, which is enough to satisfy the outbound path. 

6 Conclusions 

We presented the non-full-active Super-Sbox analysis which can detect non-ideal 
properties of a class of AES-based permutations with a low complexity. The core 
idea is using a differential path consisting of only non-full-active states. This gives 
us the freedom to efficiently control inside the Super-Sbox. We then applied this 
framework to the full-round ECHO permutation by taking properties specific to 
ECHO into account. Consequently, our attack could detect a non-ideal property 
with time 2 182 and memory 2 37 . Note because of the convolution operation, our 
attack cannot be extended to the hash or compression function. We then applied 
our approach to Grpstl to obtain the distinguishing attack on the 8-round Grpstl- 
256 permutation with a practical cost, and to obtain an improvement on the 
semi-free-start collision attack on the 7-round Gr0stl-512 compression function. 
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A Attack Procedures on 7-Round ECHO Permutation 

Using the differential path shown in Fig. El we present an attack on the 7-round 

ECHO permutation with time of 2 118 and memory of 2 38 . 

Step 1 . An attacker picks up a difference at state #A (from 2 128 patterns) and 
calculates the difference back to #B (state after the second SubBytes). 

Step 2. The transformation from #B to /fC can be divided into 64 independent 
4-byte Super-Sboxes. For each Super-Sbox with fixed output difference, by 
testing all 2 32 output values, the attacker can make a table of all possible 
input values and differences. At the end of Step 2, all the possible pairs at 
#C are stored in a table named T1 that is composed of 64 small tables each 
with size 2 32 . Hence, we need 2 38 memory for this step. 

Step 3. For each active BigWord at #D, the attacker picks up a difference and 
calculates a corresponding difference of BigColumn at #C. Then attacker 
checks whether the calculated difference exists in Tl. Once it exists, the 
attacker uses the corresponding real values at #C to calculate back the real 
values at #D. This test is repeated for all possible differences for each active 
BigWord of #D, and all possible differences and real values at #D are stored 
in a new table named T2. The time and memory for Step 3 are both 2 32 . 



Fig. 11. Differential path for 7-round ECHO permutation 
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Step 4. For all the possible pairs at each active BigWord at #D, the attacker 
calculates the pairs at #E and stores the results as a table named T3. 

Step 5. For all the possible 2 32 differences at #F, the attacker calculates the 
differences at #E and checks whether the calculated difference exists in T3. 

When Steps 1 to 5 are applied to Fig. EU the inbound and backward outbound 
phases are merged and calculated efficiently. ABy applying the procedure once, 
with time of 2 32 and memory of 2 38 , the attacker gets 2 32 start points. Note that 
with the 2 128 freedom of the differences at #A, the forward outbound phase can 
be fulfilled. As a result, the total complexity is 2 118 in time by the observations 
in Section 15.11 and 2 38 in memory. 

B Attack on 3-Round ECHO-SP Compression Function 

Note that, for the attack in Appendix El there is no specific requirement for the 
differences at state #A. Using this property we can find a non-ideal property of 
the 3-round single-pipe ECHO compression function specified in m 

The differential path is shown in Fig. [^| An attacker makes sure the differ- 
ences at #A can be cancelled in the compression calculation, i.e. for each row 
of BigWords at # A, the difference labeled as A is the same with the one labeled 
as B. By applying the procedure in Appendix El this differential path can be 
satisfied using 2 32 time and 2 38 memory, while it costs 2 64 for the ideal case. 



Fig. 12. Differential path of 3-round single-pipe ECHO compression function 
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Abstract. We revisit narrow-pipe designs that are in practical use, and 
their security against preimage attacks. Our results are the best known 
preimage attacks on Tiger, MD4, and reduced SHA-2, with the result 
on Tiger being the first cryptanalytic shortcut attack on the full hash 
function. Our attacks runs in time 2 188 ' 8 for finding preimages, and 2 188,2 
for second-preimages. Both have memory requirement of order 2 8 , which 
is much less than in any other recent preimage attacks on reduced Tiger. 
Using pre-computation techniques, the time complexity for finding a new 
preimage or second-preimage for MD4 can now be as low as 2 78 ’ 4 and 
2 69 4 Mp)4 computations, respectively. The second-preimage attack works 
for all messages longer than 2 blocks. 

To obtain these results, we extend the meet-in-the-middle framework 
recently developed by Aoki and Sasaki in a series of papers. In addition 
to various algorithm-specific techniques, we use a number of conceptually 
new ideas that are applicable to a larger class of constructions. Among 
them are (1) incorporating multi-target scenarios into the MITM frame- 
work, leading to faster preimages from pseudo-preimages, (2) a simple 
precomputation technique that allows for finding new preimages at the 
cost of a single pseudo-preimage, and (3) probabilistic initial structures, 
to reduce the attack time complexity. All the techniques developed await 
application to other hash functions. To illustrate this, we give as another 
example improved preimage attacks on SHA-2 members. 

Keywords: Preimage, MD4, Tiger, SHA-2, Hash function, Cryptanalysis. 


1 Introduction 

After the spectacular collision attacks on MD5 and SHA-1 by Wang et al. 
and follow-up work |l 2I31)I44I4. C )| . implementors have reconsidered their choices. 
While starting a very productive phase of research on the design and analysis 
of cryptographic hash functions, the impact of these results in terms of practi- 
cal and worrying attacks turned out to be less than anticipated (exceptions are 
e.g., j2(il.')8l-l()l i. Instead of collision resistance, another property of hash func- 
tions is more crucial for practical security: preimage resistance. Hence, research 
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on preimage attacks and the security margin of hash functions against those 
attacks seems well motivated, especially if those hash functions are in practical 
use. 

An important ongoing challenge is to find an efficient and trustworthy new hash 
function for long term use (e.g., in the SHA-3 competition). For new hash func- 
tions, an important first step to get confidence in them is to apply known crypt- 
analysis methods in order to break them. So the cryptanalysts’ toolbox needs to 
be well equipped for this. 

The new techniques we present in this paper contribute to both issues at 
the same time. They give new, generically applicable tools to cryptanalysts 
for analyzing compression functions and hash functions, and at the same time 
applications of them improve significantly upon known preimage attacks on 
hash functions in practical use, like MD4, Tiger, and SHA-256/512. In the fol- 
lowing we outline the new tools and new results that will be described later 
in the paper. We describe them in a way to fit into the meet-in-the-middle 
(MITM) framework of Aoki and Sasaki as recently developed in a series of pa- 
pers |fil7l8i:Uil.T71 . although we note that the basic approach was pioneered by 
Lai and Massey jZ3j. Other interesting approaches to preimage attacks appeared 


New methods. New methods described in this paper that are independent of 
a particular attack or hash functions are the following: 

— Probabilistic initial structure, compared with (deterministic) initial 
structure, is found be useful for significantly reducing attack complexity 
for the first. To improve the time complexity of a MITM preimage attack, 
the attackers usually need to find more neutral words. This usually reduces 
the number of attackable steps, due to the fact that the more neutral words, 
the faster the neutrality is destroyed, and the less step can be covered for 
independent chunks, initial structure, and partial matching. Hence, there is 
a tradeoff between the size of neutral words, and attackable steps. In this 
paper, using MD4 in Section E3 as an example, we show one can use more 
neutral words, and maintain long initial structure at the same time, with 
cost of turning the initial structure into a probabilistic one. A similar tech- 
nique has been used in j33, however there it serves the purpose of better 
approximating the initial structure, and the attack complexity is not reduced 
due to limited bits for partial matching. 

— Incorporating multi-target scenarios into the MITM framework, 
leading to faster preimage attacks. The MITM framework is the basis for 
several theoretically interesting results on the preimage resistance of various 
hash functions, mostly close to brute force search complexities. One reason 
for this is that in order to exploit all the options of this framework, matching 
points of the meet-in-the-middle phase can be anywhere in the computation 
of the compression function, and not necessarily at their beginning or end. 
Even though this gives an attacker more freedom in the design of a compres- 
sion function attack, this always leads to big efficiency losses when the attack 
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on the compression function is converted to an attack on the hash function. 
Hence, an attacker basically has to choose between a more restricted (and 
potentially much slower) strategy in the compression function attack that 
allows more control over the chaining values and in turn allows efficient tree- 
or graph-based conversion methods, or to fully exploit the freedom given by 
the latest versions of the MITM framework in the compression function at- 
tack at the cost of inefficient conversion methods. In Section l?~21 we describe 
a way to combine the best of both worlds. Later in the paper, this results in 
the best known preimage attacks for Tiger and the SHA-2 members. 

— A simple precomputation technique that allows for finding new preim- 
ages at the cost of a single pseudo-preimage. See Section 0 for an applica- 
tion to MD4, where this approach is shown to outperform any point on the 
time/memory trade-off curve by Heilman [1 8j (which was proven optimal 
in HH in the generic case). 


New results in perspective. In addition to the conceptual ideas that con- 
tribute to the cryptanalysts’ toolbox in general, we also apply those ideas and 
present concrete results. In fact, we manage to improve the best known preimage 
attacks on a number of hash functions in practical use. A table of best related 
works, and the comparison with our main results can be found in [03 ■ 

- Tiger: One of the few unbroken but time-tested hash functions, designed 
by Anderson and Biham 0 in 1996, Tiger is sometimes recommended as 
an alternative to MD4-like designs like SHA-1, especially because it is faster 
than SHA-1 on common platforms. Tiger is in practical use e.g., in decen- 
tralized file systems, or in many file sharing protocols and applications, often 
in a Merkle-tree construction (also known as TigerTree 0). The best colli- 
sion attack on Tiger is on 19 rounds pUJ Q So far the best preimage attack 
on the Tiger hash function is by Wang and Sasaki m- Independently of 
our work, they applied the MITM preimage attack to Tiger reduced to 23 
steps with time complexity higher than ours (1.4 x 2 189 ) and requirements 
of 2 22 emits. Our new attack improves those in many aspects and seems to 
be the first cryptanalytic shortcut attack on the full Tiger hash function. 
Our attack on the full 24 rounds hash functions has time complexity 2 188 8 
(compression function attack is 2 185 ' 1 * * 4 ) and memory requirements are only in 
the order of 2 s . These results are obtained using the multi-target technique 
mentioned above, and a dedicated technique to construct an initial structure 
in a precomputation. 

— MD4: Even though very efficient collision search methods exist for MD4 
j43!35j . this hash function is still in practical use. Examples include pass- 
word handling in Windows NT, the S/KEY one-time-password system fT7l . 

1 If an attacker can choose both the difference and the actual values not only of the 

message, but also of the chaining input, then the full compression function can be 

attacked, see Mendel and Rijmen eq. However, this attack cannot be extended on 

the hash function, whereas all the attacks in this paper can. 
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integrity checks in popular protocols e.g., rsync |2j or file-sharing protocols P 
and applications. The time complexity for the best known compression func- 
tion attack is reduced from 2 96 (by Leurent |27j ) to 2 72 . Assuming 2 128 pre- 
computation using the large computation technique mentioned above, and 2 81 
storage, the effort for finding any new preimage (be it for the same or a differ- 
ent target hash value as a challenge) can now be as low as 2 78 ' 1 2 3 4 5 6 . 

— SHA-2: The members of the SHA-2 family of hash functions are probably 
among the most interesting cryptanalytic targets, not only because of the 
uptake of its adoption in all places where a hash function is needed (and they 
are countless), but also because they are used to compare them to candidates 
of the ongoing SHA-3 competition. We use SHA-2 members as an example 
to illustrate the effect of using the multi-target scenario. This way we also 
improve the best known preimage attacks on reduced SHA-256 and reduced 
SHA-512. They are described in [113 Appendix A]. 

Outline. This paper is organized as follows. Section El describes the MITM 
preimage attack, four different methods converting the pseudo-preimage to preim- 
age (including two new ones), and also recapitulates techniques to extend MITM 
based preimage attacks. We apply these new techniques to MD4 and Tiger in 
Section 0 and Section El respectively. Section 0 concludes the paper. 

2 The Meet-in-the-Middle Preimage Attack 

The general idea of the preimage attack, illustrated in Fig 0 can be explained 
as follows: 

1. Split the compression function into two chunks, where the values in one 
chunk do not depend on some message word W p and the values in the other 
chunk do not depend on another message word W q (p ^ q). We follow the 
convention and call such words neutral with respect to the first and second 
chunk, respectively. 

2. Fix all other values except for W p , W q to random values and assign random 
values to the chaining registers at the splitting point. 

3. Start the computation both backward and forward from the splitting point to 
form two lists L p , L q indexed by all possible values of W p and W q , containing 
the computed values of the chaining registers at the matching point. 

4. Compare two lists to find partial matches (match for one or a few registers 
instead of the full chaining) at the matching point. 

5. Repeat the above three steps with different initial configurations (values for 
splitting point and other message words) until a full match is found. 

6. Note that the match gives a pseudo-preimage as the initial value is deter- 
mined during the attack. However, it is possible to convert pseudo-preimages 
to a preimage using a generic technique described in £>31 Fact 9.99]. One can 
compute many pseudo-preimages, and then find a message which links the 
IV to one of the input chaining of the pseudo- preimages. 
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With the work effort of 2 l compression evaluations (let the space for both W p 
and W q be 2 l ), we obtain two lists, each one containing 2 l values of the register 
to match. When we consider all of the 2 21 possible pairs, we expect to get around 
2 l matches (assume we match l bits at the matching point). This means that 
after 2 l computations we get 2 l matches on one register, effectively reducing 
the search space by 2 l . Leaving all the other registers to chance allows us to 
find a complete match and thus a pseudo-preimage in 2 n ~ l computations if the 
chaining is of n bits. We repeat the pseudo-preimage finding 2 1 / 2 times, which 
costs 2" -i / 2 , and then find a message which links to one of the 2 1 / 2 pseudo- 
preimages, this costs 2 n ~ 1 / 2 . So the overall complexity for finding one preimage 
is 2" -i / 2+1 , with memory requirement of order 2 l . 


split match 

1 I 



Fig. 1. Meet-in-the-Middle Pseudo-Preimage Attack against Davies-Meyer Hash 
Functions 

Remark on bits for partial matching. Assume we have m bits for partial 
matching, we expect 2 2l ~ m good candidates with the m-bit matched. However 
we still need to check if one of the remaining candidates gives a full match 
(pseudo-preimage), the checking costs about 2 2l ~ m (a bit less indeed, since we 
can store the computed candidates up to the point before partial matching, and 
re-check the partial matching portion only). To minimize the time complexity, 
we require m > l, so that the partial matching costs 2 2l ~ m < 2 l , which can be 
neglected. 

2.1 Multi- Target Pseudo Preimage (MTPP) 

In j22|, Leurent provides an unbalanced-tree multi-target pseudo- preimage 
method to convert the pseudo-preimages to preimage with complexity (l ln(2) + 
1) • 2 n ~ l , compared with 2 n_i / 2+1 in [231 Fact 9.99]. Suppose the matching point 
is at the end of compression function. The matching process is to find l p + l q = t 
(l p e L p , l q e L q , and t e T, the set of known targets). When we are given k 
targets, the chance to find a match increases by a factor k, i.e., it takes 2 n ~ l /k 
to find a pseudo-preimage which links to one of the k targets. To find 2 k pseudo- 
preimages, it takes 2 n ~ l /I + 2 n ~ l /2 + 2 n ~ l /3 + ■ ■ ■ + 2 n ~ l /2 k ~ /dn(2) • 2 n ~ l . 
To find a preimage, it is expected to repeat 2 n ~ k blocks finding a message, which 
links to one of the 2 k targets. Taking the optimal k = l, the overall complexity is 

2 n ~ k + k ln(2) • 2 n ~ l = (l ln(2) + 1) • 2 n ~ l . (1) 



Advanced Meet-in-the-Middle Preimage Attacks 


61 


Note this conversion does not necessarily increase the memory requirement, i.e., 
it can be the same as for finding a pseudo-preimage, since we compute the 2 l 
pseudo-preimages in sequence. 

Enhanced 3-Sum Problem. The above conversion comes with an assumption 
that the matching can be done within 2 l . Note from each chunk, we have 2 l 
candidates (denoted as L p and L q ), and given 2 k targets (denoted as T), we 
are to find all possible (l p ,l q ,t), where l p £ L p , l q £ L q and t £ T, such that 
l P + lq = t. We call this problem the Enhanced 3-Sum Problem, where the 
standard 3-sum problem decides whether there is a solution gj . Current research 
progress jUJ shows that the problem can be solved in 0(2 21 ) or slightly faster. 
So this approach expects the matching to be done in 2 21 (for k = l) instead 
of the assumed 2 l . However the matching only occurs in the final feed-forward 
operation (“+” in most of the MD hash families), which is a small portion of the 
compression. Hence this approach expects 2 21 “+” operations to be somewhat 
equivalent to 2 l compression computations by counting the number of “+” in 
the compression, when l is relatively small ( e.g ., < 7 for MD4 and Tiger, since 
there are about 2 7 “+” in MD4 compression; we simply count the number of 
operations (“+”, “x” and sbox lookup) in the case of Tiger). 

2.2 Generic Multi- Target Pseudo Preimage (GMTPP) 

The framework of Aoki and Sasaki could not take advantage of a multi-target 
scenario to speed-up the conversion from pseudo-preimage to preimages. The 
reason is a rather strong requirement on the compression function attack by 
the MTPP approach outlined above. By generalizing the setting, we weaken 
the assumption on the compression function attack, and hence allow the MITM 
framework to take advantage of new speed-up possibilities. 

When the matching point is not at the end of the compression function, we 
can still make use of the multi-targets. Consider the stun of the size of W p and 
W q to be 21, and assume we can re-distribute the 21 bits to W p and W q freeljH. 
Given 2 k targets, we can distribute the 21 bits to l + k/2 and l — k/2, so that 
we can have 2 l+k ! 2 candidates for each direction (combining the 2 l ~ k / 2 and 2 k 
targets to get 2 l+k / 2 candidates). In this way, we can find a pseudo-preimage 
in 2 n ~ l ~ k / 2 and finding 2 k targets costs Sfl 1 2 n ~ l • i -1 / 2 ~ 2 n-i+1+fc / 2 (see [TCI 
Appendix B] for a proof). So we can find the preimage in 

2 n ~ k + 2 n-/+l+fc/2 = 3 . 2 n ~ 21 / 3 (2) 

taking the optimal k = 2Z/3. For this method to work, we will need more match- 
ing bits: 4Z/3 bits instead of l (we have 2 41 / 3 candidates for both directions). 
The memory requirement hence increases to 2 4i / 3 . Here we trade memory for 
speed from 2 n ~ l /2 l (time/memory) to 2 n ~ l ~ k / 2 /2 l+k / 2 for k = 0, . . . , 2Z/3. And 
we have full control on any other speed/memory balance in-between by making 
use of the proper number of given targets, i.e., less than 2 k . 

2 This being a very natural assumption is illustrated by the fact that for both MD4 

and SHA-2 we can give a useful application that uses this. 
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Table 1. Comparison of methods converting pseudo-preimage to preimage 


Name 

Reference 

Time 

Memory 

PM 

Assumption 

Traditional 

Section 121 B3I 

2^1 — f/2+1 

2 l 

l 


GMTPP 

new, Section IP 

3 . 2 »-«/3 

24i/3 

4Z/3 

redistribute neutral bits 

MTPP 

Section I2H 1271 

(iln(2) + 1) • 2"- ! 

2 l 

21 

Enhanced 3-SUM 

PM at feedforward 

FPLP 

new, Section El 

2 n— I 

max(2*,2 ! ) 

i 

2" precomputation 

subset of chaining of size 2* 


2.3 Finding Preimages Using Large Precomputation (FPLP) 

Here, we describe a simple technique to turn a large class of pseudo-preimage 
attacks into preimage attacks without any speed loss. The method requires an 
initial large precomputation of order 2" and hence needs to be compared with the 
time/memory trade-off proposed by Heilman [E|. This means that the time and 
memory requirements of a dedicated attack need to be below the TM 2 = N 2 
tradeoff curve in order to be considered as an improvement over the generic 
attack. 

The approach may be described as follows: in the precomputation phase, 
one tries to find messages for all possible chaining outputs, i.e., find m* such 
that hash{rrii) = hx for (almost) all possible target hash values hx, but only 
store those messages m* in a table together with the output, which can actually 
“happen” in the pseudo-preimage attack. In the online phase, after the pseudo- 
preimage attack is carried out, a simple lookup into this memory is enough to 
find the right linking message. The memory requirement depends on the subset 
of all possible chaining inputs the pseudo-preimage attack can possibly result in. 
If this subset can be restricted enough, and the pseudo-preimage attack is fast 
enough, the approach may outperform the generic method. In Section 13,31 we 
give an actual example where this is the case for MD4, which seems to be the 
first result of this kind. 

Four different conversion techniques are summarized in Table [3 Our point 
here is to illustrate and compare various approaches and the assumptions they 
make on the compression function attack. For simplicity, other conversion meth- 
ods somewhat similar to MTPP (tree construction in (221 , alternative tree and 
graph construction in m) are not listed. As an example, the new attack on 
the MD4 compression function satisfies only assumptions of the traditional and 
the FPLP approach, the new attack on the Tiger compression function and 
the SHA-2 compression function satisfy the assumption made by the GMTPP 
approach. 

3 Improved Preimage Attack against MD4 

3.1 Description of MD4 

MD4 follows the traditional MD-strengthening, the original message is padded 
by 1, followed by many 0’s and the 64-bit length information so that the length of 
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padded message becomes a multiple of 512. Then divide the padded message into 
blocks of 512 bits and feed into the compression function iteratively. Output of 
the final compression is the hash. The compression function follows the Davies- 
Meyer construction, and comes with two major parts: message scheduling and 
step function. Message scheduling divides the 512-bit message block into 16 
words (32 bit each) and expands them into 48 using permutations, as shown in 
following table. 

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 

048 12 1 5 9 13 2 6 10 14 3 7 11 15 

0 84 12 2 10 6 14 1 9 5 13 3 11 7 15 

Starting from input chaining, the expanded words are fed into the step function 
iteratively. The output of the last step is added with the input chaining to give 
the output of the compression function. The step function takes four registers as 
input, and update one as Qi = (Qi-4 + Fi(Qi-i,Qi-2, Qis) + M w ^ + Ci) r* 
for i = 0,... ,47, where C % and r,; are predefined constants, n is a permutation 
defined in above table, and the functions F, ; are defined as in the following table. 
We use typewriter font to denote the hex numbers, such as 5A827999, 1 for 
FFFFFFFF, and 0 for 00000000. 


First pass 

0 < i < 16 

Fj = IF 

II 

II 

© 

Second pass 

16 < * < 32 

Fj = MAJ 

Ci = Ki = 5A827999 

Third pass 

32 < * < 48 

Fj = XOR 

Ci = K 2 = 6ED9EBA1 


3.2 Faster Pseudo Preimage Attack 

In this section, we present a pseudo-preimage attack in 2 72 . Separation of chunks 
is: steps {10, . . . , 26} for the initial structure, steps {40, . . . , 47, 0, . . . , 9} for the 
first chunk, steps {27, . . . , 36} for the second chunk, steps {37, 38, 39} for partial 
matching. We choose (Mg, Qq) as W p and (M14, Q-ie) as W q . The initial structure 
covers 17 steps from Step 10 to Step 26, as shown in Fig El with a = b = 1. 
Note that every register and message words within the initial structure except 
Qe, M10, M14, Mg, Q26 are fixed to some random values. The concept of 4-cycle 
local-collision path has been used in [41 II 41271 . However, none of those paths 
help in our MITM preimage attack, since we cannot find more proper choices of 
neutral words. In our initial structure, the relation between Qq and Q26 satisfies 

Q26 — Q& = <p(Mg , M10, M14) (3) 

for some function <p. Note (p is fixed when all other registers/message words are 
fixed. 

We fix all other registers in Fig El in such a way that the influence of the 
registers in the bold fine is absorbed when passing through the F function (this 
is called cross absorption property). Details can be found in M- All required 
values are shown in Fig El However, this setting results in no solution, since it 
is over-constrained on M12 and M13. To overcome this problem, we propose a 
probabilistic initial structure. 
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Fig. 2. 17-Step Probabilistic Initial Structure for MD4 


Probabilistic Initial Structure. Consider the probability for a = IF (b,a,x), 
where a,b are fixed constants, and a; is a random value in F 2 32. The equation 
does not always hold for all x. However, if \b\ (Hamming weight) is very close 
to 32, then we can expect high probability for the equation to hold. Instead of 
setting inputs of IF to be strictly 1 or (D, we use some other values which are close 
to 1 or (D (similarly, we force two inputs of MAJ to be very close), which enables 
us to find some solutions for the initial structure, as shown in t ig El where a, b 
are variables to be decided later. 

We list the equations of the constraints here: 


Step 

11 


Q 9 = 

Qs 

Step 

12 


Q n = 

© 

Step 

13 


Q 12 = 

a 

Step 

15 

Ql3 ~ 

= Ql2 = 

a 

Step 

16 

Ql5 - 

= Q 13 = 

a 

Step 

17 

Q 16 5 

= Ql5 = 

a 

Step 

18 

Q 17 = 

= Q 16 = 

a 

Step 

19 


<?19 = 

b 

Step 

20 

Q20 = 

= Ql9 = 

b 

Step 

22 

Q21 = 

= Q 20 = 

b 

Step 

24 

Q23 = 

= Q21 = 

b 

Step 

25 

Q24 = 

= Q23 = 

b 


4=> Q7 + Qs + Mu = © 

(Qs + Q9 + M 12 ) <?§; 3 = a 
4=> ( Q 9 + M 13 ) <gc 7 = a 

44> (o + M 15 ) 19 = a 

(a + a + M 0 + K 1 )<^3 = a 
& (a+a + M 4 + K 1 )<^5 = a 
(a + a + M 12 + Ki) <g; 13 = b 
4=^ (a ~F a -F Afi ~F Ad) 3 = b 

4^- (a + b + M 5 + Ki) 5 = 6 

(6 + 6 + M 13 + K t ) <gc 13 = 6 
^ (6 + 6+M 2 + ATi) ^3 = 6 


(4) 


The above system of equations allows us to have choices for a and 6. Note that 
we used two probabilistic approximations in two places, i.e., IF(a,©,Qio) = © 
at Step 13, and MAJ(6, Qis,cl) = a at Step 20. Each happens with probability 
2 |a |— 32 an( j 2 -!“©&! 5 respectively (assume Q 10 and Qis are uniformly distributed). 
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To have high probability, we search the a, b which maximize prob = 2l°l l°® 6 ! 32 . 
We found a = EFFFBFEF, and b = EFCF1F6F, which give prob = 2 -8 . Solving (gj) 
leaves M 0 = C37DFE86, Mi = C377EA76, M 2 = C3D92B76, M 4 = 44FE0488, 
M 5 = 452D2004, M 12 = C0FD8501, M 13 = C15EC601, M 15 = 07FE3E10, Q 8 = 
Qg = 1E81397E, and Q 7 + Mu — E17EC682. To ensure this works as expected, 
we verified the probability using a C program m , and the experiment confirms 
the result. 

The pseudo-preimage algorithm 

1. Fix all mentioned message words /registers as above. 

2. Randomly assign all other message words, except Mg,Mio and M14. 

3. Compute {Q 7 ,Q 8 ,Qg) and {Q 23 , Q 24 , Q 2 s)- 

4. For all (Q 26 , M 14 ) compute forward from step 27 up to step 36, and obtain 
the list {L q ,Q 2 e,Mi 4 ) (expected size 2 64 ). 

5. For all (Q6,Mg), compute backward from step 9 up to step 0, and obtain 
the list (L l p ,Q 6 ,Mg) (expected size 2 64 ). 

6. Do feedforward and add the target, continue computing backwards up to 
step 40, and obtain the list ( L p , Qq, Mg) (expected size 2 64 ). 

7. Do partial matching with Q36 and Q 3 g (2 64 + 64-64 = 2 64 pairs left), then 
match with Q 88 (2 64-32 = 2 32 pairs left). 

8. For each pair left, compute the right Mi 0 , such that Q37 is also matched (we 
have 2 32 pairs (Mi 4 ,Q 26 , Mg, Q 6 , M 10 ) fully matched). 

9. Check if any pair left satisfies Eqn @ ■ if yes, output the pseudo-preimage; 
otherwise repeat the above process until a pseudo-preimage is found 
(232+8-32 _ 2 8 repetitions expected). 

Clearly, the complexity is 2 72 with memory requirement 2 64 . There are some 
other additional properties. Note that given a new target, we can reuse the two 
lists L p and L q , so that the computation starts from Step El in the algorithm, 
which results in slightly faster pseudo-preimage in 2 69 4 . Furthermore, such an 
attack gives pseudo-preimage with chaining limited to the set L p only. 


3.3 Preimage Attack on the MD4 Hash Function 

To find preimage using the pseudo-preimage attack above, we need to correct 
the padding. Note that M13 is precomputed, hence the length of last block is 
fixed, we need to fix the least significant 9 bits of M 44 accordingly, i.e., 447 (1BF 
in hex). Note that adding more blocks will only affect the length by a multiple 
of 512 (2 9 ). We leave the number of additional blocks for chance as done in 
the algorithm in Section 13.21 A small modification on the algorithm (computing 
2 55 candidates for each direction during each repetition, and 2 128_55x2 + 8 = 2 26 
repetitions are needed, hence the size of L p increases to 2 55+26 = 2 81 ) will result 
in pseudo-preimage in 2 69 ' 4 ® 9 = 2 78 4 with memory requirement 2 55 . This can 
be further converted into a preimage in 2 99 7 using the traditional conversion 
(link to input chaining of the last padded block), as the number of blocks can be 
resolved by expandable message (we compute a pseudo-preimage following the 
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padding rule in 2 78 ' 4 , then apply the traditional conversion. Now, padding is no 
longer a problem when inverting the second last block etc.). 

The resulting message of this attack has at least 2 50 blocks, due to the fact 
that M15 is the most significant word of the length (Mi 5 \\M U denotes the length) 
and we have preset to 07FE3E10. 

Precomputation. Similarly we can restrict the input chaining to a subset 
of size 2 81 , by re-using the lists whenever looking for a new pseudo-preimage. 
So the pseudo-preimage can also be converted to preimage in 2 78 - 4 , when large 
precomputation is allowed. To achieve this, we precompute about 2 128 differ- 
ent message blocks (prefixed by the expandable message) and store those with 
output in the restricted subset. This requires storage of order 2 81 and precompu- 
tation effort 2 128 . Given a target, we compute a pseudo-preimage (with padding 
done), and it can be converted to a preimage by looking up the stored chaining 
values. Hence this requires online computation 2 78 ' 4 only. Using a similar 2 128 
precomputation, the generic Heilman tradeoff would either require almost 2 7 8 
times more memory (2 88 8 ) to achieve the same runtime, or would lead to online 
computation that is almost 2 15 6 times slower (2 94 ) if the same memory would 
be available. 

3.4 Second-Preimage Attack on the MD4 Hash Function 

In contrast to finding preimages, we can avoid the padding issues when find- 
ing second- preimages by finding pseudo-preimages for second last block etc., as 
done in m- Given 2 128 precomputation, the complexity of this second-preimage 
attack is in 2 69 ’ 4 with 2 72 memory when k > 2, i.e., it works for all messages 
with original length before padding at least 2 blocks (1024 bits, at least 3 blocks 
after padding). Similarly, it works in time 2 99 7 and 2 64 memory without pre- 
computation. Although a faster second-preimage attack exists |3S|, the attack 
only works for very long messages, i.e., at least 2 56 blocks. For comparison, a 
second preimage can be found in 2" _fc , if the given message is of more than 2 fc 
blocks, due to Kelsey and Schneier [2D] (2 64 for both time and memory if the 
optimal k = 64 can be achieved) . 

4 Preimage Attack against Tiger 

Before presenting the result, we give some notations used in this Section. Let 
X° and X e denote the odd bytes and even bytes from register X, respectively. 
More generally, let us denote X s so that those bits indexed by the set s are 
the same as in X and the rest are set to 0. To be consistent, we can define 
e = {0, . . . , 7, 16, . . . , 23, 32, ... , 39, 48, ... , 55} and o = {8, . . . , 15, 24,. ..,31, 
40,..., 47, 56,..., 63}. 

4.1 Description of Tiger 

Tiger is an iterative hash function based on the MD structure. The message is 
padded followed by the 64-bit length of the original message so that the length of 
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the padded message becomes a multiple of 512. Then it is split into blocks of 512 
bits and fed into the compression function iteratively. The compression of Tiger 
takes 3 chaining words and 8 message words (each word is of 64 bits) as input 
and produces the updated 3 chaining words as output. It consists of two parts: 
message expansion and step function. The input chaining is fed forward, together 
with output of last step function, to produce the output of the compression 
function, which is a variant of the Davies-Meyer construction. We introduce the 
step function and message expansion in details as follows. 

Step Function. We name the three input chaining words of compression func- 
tion as A, B and C. These three registers are updated as follows. C «— C ® X\ 
A <— A — even (C); B <— (B + odd((7)) x mul. The result is then shifted around 
so that A, B, C become C, A, B. Here +, — , x are addition, subtraction and 
multiplication, in Z 2 64, respectively. The two non-linear function even and odd 
are defined as follows. 


even(x) = Ti[x%] © T 2 [a:|] 0 T 3 [x%] 0 T 4 [x%\ , 
odd(a;) = T 4 [x x B \ ©T^a;^] ®T 2 [x%] ©Ti^g] , 


where T ±, . . . , T 4 are four S-boxes defined on {0, l} 8 — > {0, l} 64 , and x B denotes 
the f-th least significant Byte of x, the details can be found in j5j. mul is 5, 7, 9 
for the three passes, respectively. 

Message Expansion. The 512-bit message block is split into 8 message 
words W 0 , ... , X 7 , each of 64 bits. The key scheduling function takes X 0 , ... ,X 7 
as input and produces message words {W 8 ,...,Wi5} and {Wi6, . . . , W23} re- 
cursively as follows. (Xg,...,X 15 ) = KSF(W 0 ,...,W 7 ), (W 16 , . . . , W 23 ) = 
KSF(W 8 , . . . , W15), where the key scheduling function KSF is defined as follows. 
We use (Xg, . . . , W15) = KSF(Wq, . . . , X 7 ) as an example here. 


First Step: 

y 0 =W 0 - (*7 © K 3 ) 

y x =x 7 © y 0 

Y 2 =X 2 + Fr 

F 3 =W 3 - (Y 2 0 (Fr « 19) 
F 4 =W 4 0 F 3 
F 5 =W 5 + Y 4 

Y 6 =X 6 - (Y b 0 (F 4 » 23)) 
Y 7 =X 7 0 F 6 


Second Step: 

X s =Y 0 + Y 7 

X 9 =Fi - {X 8 0 (F 7 < 19)) 
X w =Y 2 0 W 9 
In =^ 3 + X 10 

X 12 =F 4 - (W u 0 (W 10 » 23)) 
W 13 =F 5 0 X 12 
X14 =y 6 +x 13 
x 15 =Y 7 - (Xu 0 K 4 ) 


with Kg = A5A5A5A5A5A5A5A5, K 4 = 0123456789ABCDEF, and F denotes bitwise 
complement of F. 

Attack Preview. The MITM preimage attack has been applied to Tiger, how- 
ever for variants reduced to 16 and 23 steps jl9!42j . out of 24 in full Tiger. The 
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difficulty lies on finding good neutral words, longer initial structure and partial 
matching. In our attack, we find a 4-step initial structure, extend the partial 
matching to 5 steps and provide choice of neutral words achieving this. However 
each of them comes with constraints posed on message words/registers, due to 
the very complicated message scheduling used in Tiger. Throughout the descrip- 
tion of the attack, we will explicitly give all those constraints, and explain how 
they can be fulfilled using the multi-word technique, i.e., utilizing the degrees of 
freedom of most message words and registers to fulfill these constraints, which 
are usually left as random in the original MITM preimage attacks. 


4.2 Precomputed Initial Structure 

The original initial structure does not apply to Tiger, since the message words 
are xor-ed into the chaining, followed by addition/subtraction operations. One 
cannot swap the order of xor and addition/ subtraction, unless the chaining values 
are within certain range so that we can either approximate xor by addition, or 
approximate addition by xor. We can either restrict one of the inputs to (D, or 
force the output to be 1, e.g., X ® (D = X + (D, and X ®Y = 1 if and only if 
X + Y = 1. Under this restriction, we are able to have a 4-step initial structure 
as shown in Fig |3(a)| which comes with the following three constraints. 

Constraint 1. Variables from Xi lie on the odd bytes only, so that (Xf) is 
fixed. 

Constraint 2. Assume we have control over Xi +4 on those bits so that ( ) ° 
is fixed, and there is no carry from even bytes to odd bytes so that we can even- 
tually move the X' i+A further up above the odd function in step i+ 1. The idea 
is to keep the input to the odd function unchanged when we move the (^j f) e as 
shown in Fig \3(bH 

Constraint 3. C l+ s ® X i+4 should be 1 for those bits, where variables from 
X i+4 lie. 

After the precomputed initial structure (PIS) is formed, we essentially swap the 
order of Xf and ) 0 . which are 4 steps away from each other originally. 

4.3 Message Compensation 

The length of each independent chunk is at most 7 steps, due to the fact that 
any consecutive 8 message words can generate all other words (i.e., related to 
all other words). Message compensation is used to achieve the maximum length 
(or close to maximum) for each chunk. Since we are able to have 4-step PIS, we 
would have 7 + 4 + 1 + 7 = 19 steps for two chunks. Details are shown in FigQ] 
Where X-j , . . . , Xj 3 form the first chunk (7 steps), X 14 , . . . , Xig may be dealt 
with using precomputed initial structure as shown above, and Xi 9 , . . . , X23, Xo, 
X\ are the second chunk (7 steps). In this way, we have 19-step extended chunks. 
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Fig. 3. 4-Step Initial Structure and 5-step Partial Matching for Tiger 



Fig. 4. The neutral words with key scheduling function for Tiger 
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For the first chunk, we use a few bits of Xig as the neutral word (we will 
discuss which bits are to be used later). We force Xig to be the only one affected 
in the third pass ( i.e Xi6, . . . , X23). We come up with such a configuration 
following the rule that there are as few words affected in the current pass as pos- 
sible. In summary, we have {X 2 , . . . , X 6 , X w , Xu, Xi 2 , Xig} affected as shown 
in Fig 0Ja.). Note this comes with 

Constraint 4. We use at most the least significant 23 bits of Xig so that these 
bits disappear when (Xig 23) is done (as shown in Fig. \Qfa)), hence it does 
not affect X20 etc. 

For the second chunk, we use a few bits of X-14 as the neutral word and avoid 
difference in X7 in the first pass. Meanwhile, we avoid differences in Xg , . . . , Xi 3 
and X15 for the second pass. In the end, we have {Xo, . . . , X3, X14, Xi6, . . . , X23} 
affected as shown in Fig0)Jb). Note this comes with a constraint. 

Constraint 5. X 15 remains constant. 

The two neutral words affect some common message words, i.e., X 2 , X3, Xg 
and Xig. We will need to choose the bits from two neutral words X14 and Xig 
properly, so that 

Constraint 6 . X14 and Xig will not affect any common bits of any word si- 
multaneously, i.e., for X 2 ,Xs,Xe and Xis. 

We are left with the choices of the neutral bits for minimizing the attack com- 
plexity, which will be discussed later in Section 14.51 


4.4 Partial Matching and Partial Fixing 

The direct partial matching works for 3 steps by computing backwards. Further- 
more, by fixing the even bytes of the first message word (partial fixing technique) 
in forward direction, Isobe and Shibutani m are able to achieve 4-step, and 5- 
step by Wang and Sasaki j?2S- In addition to the 4-step initial structure, we 
further post more conditions on message words in order to achieve 5-step partial 
matching (different from E3)> as shown in Fi a it covers step 2 to step 6. 

Constraint 7. The partial information below X3 as in Fig \3(c\ computed from 
Xq should cover all even bytes so that we can compute the even function in step 3; 

Constraint 8 . Xf should be related to X 14 only, so that we can compute the 
odd function at step 2 independently of X ig. 

To summarize, we are to use {X7, ...,X 13 } as one chunk, {X 19 , . . . ,X 2 3, 
Xi, X2} as the other chunk; precomputed initial structure covers steps us- 
ing {X14, . . . , Xig} (i = 14 for Section I I . 21) : and partial matching works for 
{X2, . . . , Xg}. Hence, the full Tiger of all 24 steps is covered. 
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4.5 Attack Description and Complexity Analysis 

In this section, we show how to set the message words and registers for the PIS 
in order to have all constraints fulfilled. We also give algorithms with complexity 
evaluations, when necessary, to demonstrate how the attack works. 

Fulfilling all Constraints. To have constraints about Xig fulfilled (i.e., Con- 
straints and 0, we choose neutral bits from X{g, where $b = {0, ... ,7, 
16, . . . , 22}. Similarly, to have Constraint 0 on X14 fulfilled, we restrict the 
neutral bits from bytes 3, 5, 7 of X14, i.e., X with Sf = {24, . ..,31, 
40,..., 47, 57, ...,63} (bit 56 is reserved for padding). Due to the fact that 
addition/subtraction will only propagate differences towards MSB, the least sig- 
nificant bits of X{{ that may affect on X 2 , X3, Xg, Xig are 43 (due to <19), 62 
(due to <19 twice), 24, and 24, respectively. However, X{| has very low chance 
(~ 0) of affecting up to bit 43 of X 2 , bit 62 of X 3 , bit 24 of Xig, and we will filter 
candidates so that the influence on Xg is limited to up to bit 23. Hence, Con- 
straint 0 can be fulfilled. To fulfill Constraint 0 we force Y ( Y = X}{ (through 
setting X^ = (D), and X^ f = K'l f . We leave Constraint 0 for PIS setup, and 
Constraint 0 for partial matching, to be addressed later. 

Precomputed Initial Structure. For the precomputed initial structure to 
work, we have to preset several message words. Besides X}g = 0 and X? f = K^ f , 
we still need to take care of the padding. We set X| 6 = 1, i.e., the length 
of original message in last block is 447 (7 x 64 — 1). Hence, we need to set 
A-{o,...,8 } = 447. Note that adding more blocks will affect the length by a multiple 
of 2 9 , which has no effect on the 9 LSBs of X7. To reduce the influence of X}{ 
on X 6 , we further set (Y 4 ^ 23 8 Y 5 ) Sf =0, so that only X^ f out of X 6 will be 
affected. Note the PIS can be done in 2 15 evaluations of key scheduling (leaving 
restriction on X}{ for probability only). This is negligible since we can reuse the 
PIS for at least 2 16 times, to be discussed later. 

Finding good candidates - Backward. We use bits from X}g to compute 
the good candidates for backward direction. Constraint 0 further restricts us to 
choose values such that xfg’ "’ 7 ^ and xfg 6 ’"' ;23 ^ are multiple of 9 (rnul = 9 for 
third pass). Hence, we can have [~2 8 /9] x [2 7 /9] = 2 8 8 good candidates. Finally, 
we filter out candidates which do not fulfill Constraint 0 Experiments show 
that the remaining good candidates are about 2 8 . Note these good candidates 
need to be computed under the constrainted PIS, we use message modification 
techniques to fulfill the constraints for PIS, and to get the 2 8 good candidates 
in less than 2 19 key scheduling evaluations. Details can be found in m 

Finding good candidates - Forward. We use bits from X{{ to compute the 
good candidates for backward direction. To have Constraint 0 fulfilled, we need 
to filter the candidates, such that it gives 1 for as in Fig |3(b)| this reduces 
the number of candidates to 2 23-15 = 2 8 . Note that this part can be re-used 
for many different (at least 2 16 ) Ci, by changing the even bytes, which we can 
freely set at the very beginning of the MITM preimage attack. Hence, the time 
complexity for this part is also negligible. 
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Probabilistic Partial Matching. Partial matching matches A 2 from both 
sides, where we can compute A 2 in the forward direction without any problem. 
However, in the backward direction, we only know information of bytes 0, 1, 2, 4, 6 
of X 6 (red), as to compute Bf . Note that B :i = (B e CD X fi + even(B 6 ))/5 — odd(H 5 ) 
(mul = 5 for first pass), where -B5 and Bq are known. We rewrite it to B :i = 
(B 6 (BX 6 )/5 + K 5 , where K 5 = even(H 5 )/5 — odd(H 4 ). We can compute bytes 0, 1, 
2 of S3, yet we still need bytes 4, 6 from information of bytes 4, 6 of Xg only. Note 
that B< 32 " - 39} = (B 6 {32 ’ ’ 39} © Xf 2 ’ ’ 39} - Bo x 2 82 )/5 + *T 5 < 32 -" 39 > + Ca x 2 82 , 
where Bo £ {0, . . . , 4} denote borrow from bit 31 when ‘/5’ is carried out, and 
Ca £ {0, 1} denote the carry for the ‘+’ from bit 31. We deal with the Bo by com- 
puting all possible choices, and guess the Ca = iff 1 which results in a probability 
3/4 for the Ca to be correct. This gives an example for byte 4, and we can deal 
with byte 6 similarly. The process results in 25 times more computations for partial 
matching, together with probability 9/16. However, we shall only need to repeat 
the even and the ’ at Step 3, so that the essential repetition is equivalent to less 
than 2 _1 compression computations per candidate. 

Complexity of Finding a (Second) Preimage. Following the MITM preim- 
age attack framework, the pseudo-preimage attack works as follows. 

1. Randomly choose A 14 , B i4 . C14. 

2. Compute precomputed initial structure. 

3. Compute candidates in backward and forward directions. 

4. Repeat for 2 16 values of Cu by looping all values in byte 4 and 6 (this step 
is to make time complexity for first three steps negligible): 

(a) For each candidate for backward and forward directions, compute A 2 
independently. 

(b) Carry out probabilistic partial matching. If a full match on A 2 is found, 
further re-check if the “guess” is correct. 

5. Repeat 1-4 until a pseudo-preimage is found. 

The pseudo-preimage attack works in time 2 185 - 4 (2 192- 8 x 1.5 x (3 /4 ) ~ 2 ), which 
can be reduced to 2 182 - 4 when more than 2 4 targets are available (by using tar- 
gets as part of backward candidates as in GMTPP). The pseudo-preimage can 
be converted to preimage attack with time complexity 2 189 - 7 using the tradi- 
tional conversion, with memory requirement of order 2 8 . Following the GMTPP 
framework, the time complexity can be further reduced to 2 188 ' 8 (by computing 
24 pseudo preimages and 2 192 /24 linking messages), with the same memory re- 
quirement. Similarly, the second-preimage attack works in 2 188 ’ 2 , when the given 
message is of more than 2 4 blocks. 

5 Concluding Discussion 

We conclude with a discussion of results and some open problems that are inde- 
pendent of particular hash functions. In this paper we have extended the frame- 
work around meet-in-the-middle attacks that is currently being developed by the 
community with a number of general approaches. We illustrated those extensions 
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with improved preimage attacks on various time-tested hash functions, with the 
first cryptanalytic attack on the full Tiger hash function probably being the most 
interesting example. Other examples include various improved preimage attacks 
on MD4 and step-reduced SHA-2. 

One of the generic ideas presented was the following. Under the meet-in- 
the-middle preimage attack framework, we presented new techniques to con- 
vert pseudo-preimage into preimage faster than the traditional method, i.e., the 
Generic Multi-Target Pseudo Preimage and a simple precomputation technique. 
It will be interesting to see if an algorithm solving the Enhanced 3-Sum Problem 
faster than 2 2 ” for a set size of 2” exists, so that the MTPP can be valid for 
any l. On the other hand, we found pseudo-preimage for MD4 in 2 72 , it will 
be interesting to see if any of the new conversion techniques or other unknown 
techniques works when converting pseudo-preimage to preimage for MD4. 

We expect the techniques outlined in this paper to also improve existing preim- 
age attacks on well studied hash functions like MD5, SHA-1, HAVAL, and others. 
Also, the narrow-pipe SHA-3 candidates seem to be natural targets. 
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Abstract. Knudsen and Preneel (Asiacrypt’96 and Crypto’97) intro- 
duced a hash function design in which a linear error-correcting code is 
used to build a wide-pipe compression function from underlying block- 
ciphers operating in Davies-Meyer mode. Their main design goal was to 
deliver compression functions with collision resistance up to, and even 
beyond, the block size of the underlying blockciphers. In this paper, we 
present new collision-finding attacks against these compression functions 
using the ideas of an unpublished work of Watanabe and the preimage 
attack of Ozen, Shrimpton, and Stam (FSE’10). In brief, our best attack 
has a time complexity strictly smaller than the block-size for all but two 
of the parameter sets. Consequently, the time complexity lower bound 
proven by Knudsen and Preneel is incorrect and the compression func- 
tions do not achieve the security level they were designed for. 

Keywords: Collision attack, coding theory, compression function. 

1 Introduction 

Hash functions are currently at the centre of the cryptographic community’s 
attention. While most of this attention is geared directly towards the SHA- 
3 competition (by analysing its remaining candidates), other, arguably more 
fundamental questions regarding hash function design should not be forgotten. 
After all, the study of the underlying principles of hash function design are 
potentially beneficial for the SHA-3 decision process. 

The two most revered principles in hash function design are (i) the Merkle- 
Damgard iterative construction, or more generally the principle of designing 
a secure compression function and (ii) the Davies-Meyer construction, or more 
generally the principle of using a blockcipher as underlying primitive. Indeed, the 
currently standardized hash functions from the SHA family follow this approach 
(as did their predecessor MD5) as well as several of the SHA-3 candidates. 

It was already recognized early on that the output sizes of traditional block- 
ciphers are insufficient to yield a secure compression function |1 tij . This still 
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holds true today: for all the (optimally secure) PGV blockcipher-based compres- 
sion functions |1 011112) based on an n-bit blockcipher, the (time) complexity of 
collision- and preimage-finding attacks is at most 2 n / 2 , resp. 2"; when n = 128 
(e.g. AES) the resulting bounds are mostly unacceptable for current practice (in 
particular for collision resistance). 

To achieve acceptable security (based on small block sizes) it is necessary to 
output a multiple of the block-length. In the 1990s many constructions were 
proposed for this goal, mostly outputting 2 n bits with the explicit collision re- 
sistance target of 2" (see j.'ilOl for an overview). The standard goal for these 
constructions has been optimal collision-resistance: a target output size is fixed 
and the compression function should be collision resistant up to the birthday 
bound for that digest size. In three papers |4l5lti| , Knudsen and Preneel adopted 
a different approach, namely to fix a particular security target and let the output 
size (and relatedly the number of blockcipher calls) vary as needed in order to 
guarantee a particular security target without imposing optimal security. 

Specifically, given r independent ideal compression functions f r , each 

mapping cn bits to n bits, they create a new ‘bigger’ compression function out- 
putting rn bits. Following principles (i) and (ii) already mentioned, they then 
propose to instantiate the underlying ideal compression functions with a blockci- 
pher run in Davies-Meyer mode and to iterate the compression function to obtain 
a full blockcipher-based hash function. However, they derive their security from 
the compression function, so that is where we will focus our attention. 

The /i , . . . , f r are run in parallel where each of their inputs is some linear 
combination of the blocks of message and chaining variable that are to be pro- 
cessed; the rn-bit output of their construction is the concatenation of the out- 
puts of these parallel calls. The elegance of the KP construction is in how the 
inputs to /i, . . . , f r are computed. They use the generator matrix of an [r, k, d] 
error-correcting code over F 2 c to determine how the ck input blocks of the ‘big’ 
compression function are xor’ed together to form the inputs to the underlying r 
functions. (In a generalization they consider the /j as mapping from ben' to bn' 
bits instead and use a code over F 2 &c.) 

The (deliberate) effect of this design is that when two inputs to the ‘big’ 
compression function differ, the corresponding inputs for the underlying func- 
tions will differ for at least d functions. In particular, when using a systematic 
generator, a change in the systematic part of the input results in at least d — 1 
so-called active functions in the non-systematic part. Intuitively this means that 
one has to find a preimage, resp. a collision for the d — 1 active functions in 
parallel. Based on this observation, Knudsen and Preneel claim that (under an 
assumption) any collision attack needs time at least 2( rf_1 )”/ 2 (and as many /,; 
evaluations) and they conjecture that a preimage attack will require time at 
least 2( d-1 )”. Additionally, they give preimage and collision attacks (sometimes 
matching their lower bounds). 

Watanabe 0 already pointed out a collision attack beating the one given 
by Knudsen and Preneel for many of the parameter sets. In particular, his dif- 
ferential attack works whenever r <2k and has a query and time complexity of 
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Table 1 . A summary of collision attacks on the Knudsen-Preneel compression func- 
tions, with constant and polynomial factors (in n) ignored. Non-MDS parameters are 
in italic, for e 6 {2, 4} the underlying primitive is ft : {0, l} 2 '"' — > {0, l} n , and for e = 3 
it is ft : (0, l} 3n — > (0, 1}". 
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2 20n/23 

2 4n/5 

2 8„/13 

2 2 ” 

2 3„/2 

2 3n/2 

[ 4 , 2 , 3] 8 

2 " 

2 ™ 

X 

2 ” 

2 2n 

2 ” 

2 3n/2 

[ 6 , 4 , 3 ] 8 

2 2„/3 

2 2„/3 

2 3„/4 

2 3n/4 

2 3n/2 

2 " 

2 5„/4 

[ 9 , 7 , 3] a 

2 7„/ 12 

2 7n/12 

2 3„/4 

2 9„/ 14 

2 Sn/7 

2 « 

2 8„/7 

[ 5 , 2 , 4] 8 

X 

x 

X 

2 5„/4 

2 3n 

2 3n/2 

2 7„/4 

[7, 4, 4] 8 

2 4 "/5 

2 4„/ 5 

2 4 "/5 

2 7«/8 

2 9n/4 

2 3n/2 

2 3„/2 

[10, 7, 4] 8 

2 7«/U 

2 9"/H 

2 4n/5 

2 5„/7 

2 2n 

2 3„/2 

2 3n/2 


essentially k2 n . Thus he demonstrated that the proven collision resistance lower 
bound given by Knudsen and Preneel is incorrect whenever r < 2k and d > 3. 
For a code with minimum distance d = 3 he matches the Knudsen-Preneel 2" 
collision-resistance lower bound, but does not violate it; the two codes proposed 
by Knudsen and Preneel with r >2k (namely [4, 2, 3]s and [5, 2, 4] g) seem beyond 
reproach. Yet this was the first indication that something is amiss with the claim 
by Knudsen and Preneel. A second indication arrived at FSE’10, when Ozen, 
Shrimpton, and Stam [Jj demonstrated a remarkably efficient preimage attack 
that, for 9 out of 16 cases, runs in time 2 rn / k which was shown optimal. More- 
over, using a yield-based argument, they showed that an information-theoretic 
adversary in principle should be able to find collisions after only 2 rn ! queries. 

Our contribution. In this paper we deal what we believe will be the final blow 
against the Knudsen-Preneel compression functions. Our contribution is four- 
fold, with a summary provided in Tabled For completeness, we have also inves- 
tigated the time complexity that one would obtain by straightforward adaptation 
of the ideas and query complexities of OSS; we refer to the full version of this 
paper jH] for the details. 

The mise en place in Section d provides a detailed mathematical characteri- 
zation of the Knudsen-Preneel compression function’s preprocessing. As a first 
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simple result, this allows us in Section to revise the attack of Watanabe in a 
way that slightly reduces the time requirements, yet significantly increases the 
number of collisions it can produce. More precisely, after an initial effort of d2 n , 
we can generate (up to) 2^ k ~ d ' )n collisions in constant time (for k > d). 

In our revised version of Watanabe’s attack, we fix a pure tensor to create a 
differential. By adaptively looking for an arbitrary tensor and using the same 
type of queries as Ozen, Shrimpton, and Stam we arrive in Section 15.21 at a new, 
symbiotic collision-finding attack with time complexity ( ]2 dn l l ' d+l \ The attack 
works whenever d < k (as in Watanabe’s case). Even more amazing is that if the 
inequality is strict, that is if d < k, the adversary can create further collisions 
(like our revised attack) in constant time (up to 2 ( - k ~ d ' )n collisions). 

Thirdly, in Section 16. II we introduce a parametrized information-theoretic 
collision attack. It turns out that the new symbiotic attack and the old OSS 
information-theoretic collision attack are both on opposite ends of the spectrum 
of this parametrized attack, yet optimality is typically achieved somewhere in 
the middle — with KP([4, 2,3]§) and KP([5,2,4] 8 ) again as exceptions — yielding 
query complexity 2 fcr '/ ( 3fc — r ) . 

Our final contribution is a reduced-time variant of our optimized attack above. 
For this we use the same ideas as OSS, but with a crucial twist: where they used 
the dual code to look for preimages efficiently, we will use the dual shortened 
code to search for collisions efficiently. As a result, for 12 out of 16 suggested 
parameters we can mount a collision attack whose time complexity matches its 
query complexity (ignoring constants and logarithmic factors). Even better, only 
for KP([5, 2, 4]g) we are unable to beat the time-complexity of any prior attack 
we are aware of, for the rest we set new records. 

2 Preliminaries 

With some minor modifications, we will adhere to the notation also used by 
Ozen, Shrimpton, and Stam. 

Linear error correcting codes. An [r, k, d\ 2 « linear error correcting code C is 
the set of elements (codewords) in a fc-dimensional subspace of F^ (for r>k), 
where the minimum distance d is defined as the minimum Hamming weight 
(taken over all nonzero codewords in C). The dual code [r, r — k, c0]2« is the set 
of all elements in the r— fc-dimensional subspace orthogonal to C (with respect to 
the usual inner product), and its minimum distance is denoted d ± . The Singleton 
bound puts a limit on the minimum distance: d < r — k+ 1. Codes matching the 
Singleton bound are called maximum distance separable (MDS). An important 
property of an MDS code is that its duals is MDS as well, so eP = k + 1. 

An [r,k,d\ 2 ‘ code C can be generated by a matrix G e F^F 1 ', meaning that 
C = {x ■ G\x e F| e } (using row vectors throughout). A generator matrix G is 
called systematic iff it has the form G = [Ik\P] for P 6 and Ik the 

identity matrix in W k * k . Furthermore, G is the generator matrix of an MDS 
code iff any k columns are linearly independent. For an index set X C {1, . . . , r} 
we define Gx € F^f ^ as the restriction of G to those columns indexed by 1. 
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For a code and any index set X C {1, . . . , r}, we want to define X C {1, . . . , r} 
such that Gf is invertible (thus in particular |X| = k) and I C I or I C 1. For 
MDS codes, the existence of such an I can be shown easily (and we can impose 
uniqueness e.g. by virtue of an ordering). For non-MDS codes there exist some 
1 for which such an X does not exist (for example the X C {1, . . . , r} for which 
\T\ = k but Gx is not invertible), however for any target cardinality it is possible 
to find an X (of that cardinality) that does have an X (e.g. by first going through 
the systematic columns); we call such an X admissible. 

A given [r, k, d\ & code C can be shortened to obtain a new, derived code C . Let 
i G {1, . . . , r}, then consider the set of all codewords in C that are 0 on position 
i. The new code C consists of these codewords with position i dropped, however 
we sometimes ‘quasi-shorten’ and keep the superfluous zeroes present (we always 
keep the original indexing). It is easy to see that C is an [r — 1, k — 1, code 
unless all codewords in C had a 0 on position i or k = 1 (in the latter case the 
shortening might result in the trivial one-codeword code {0 r_1 }). The shortening 
of an MDS code is an MDS code itself. By repeated application one can shorten 
by any index set Xo C {1, . . . ,r} for which 6 = |Xo| < k to obtain a derived 
[r — 9,k — 9, d] MDS code C . If G is systematic and X 0 = {1, . . . , 9} we can 
generate the shortened code by dropping the first 9 rows of Gx , where X = 
{1, . . . , r}\Xo = {9 + 1. . . . . r}. (For the four non-MDS codes used by Knudsen 
and Preneel we will perform a separate analysis on repeated shortening.) 

Blockwise- linear compression functions. A compression function is a map- 
ping H : {0, l} tn — ► {0, 1} S " for some blocksize n > 0 and integer parame- 
ters t > s > 0. For positive integers c and n, we let Func (cn,n) denote the 
set of all functions mapping {0, 1} C " into {0, 1}". A compression function is 
Public Random Function (PuRF)-based if its mapping is computed by a pro- 
gram with oracle access to a finite number of specified oracles f\, , f r , where 

/i, . . . , f r Func(cn, n). When a PuRF-based compression function operates on 
input W, we write for the resulting value. Of primary interest for 

us will be single-layer PuRF-based compression functions without feedforward. 
These call all oracles in parallel and compute the output based only on the results 
of these calls; in particular, input to the compression function is not considered. 

Most PuRF-based (and blockcipher-based) compression functions are of a spe- 
cial type. Instead of arbitrary pre- and postprocessing, one finds only functions 
that are blockwise linear. The Knudsen-Preneel construction is also blockwise 
linear, so let us recall from [ZJ what is a blockwise-linear scheme. 

Definition 1 (Blockwise-linear scheme). Let r,c,b,t,s be positive integers 
and let matrices C PRE G F^ 6 ** 6 , C P0ST G be given. We define H = 

BL { ’(C PRE , C POST ) to be a family of single-layer PuRF-based compression func- 
tions H n : {0, l} tn — > {0, 1} S ", for all positive integers n with b\n. Specifically, 
let n'b = n, and fi,...,f r G Func(cn, n). Then on input W G {0,1}*" (in- 
terpreted as column vector), H n ^ '^ r (W) computes the digest Z G {0,1} S " as 
follows: 


Collision Attacks against the Knudsen-Preneel Compression Functions 81 

1. Compute X <— (C PRE <S» I n ') ■ W; 

2. Parse X = (xi)i— i... r and for i = 1 ...r compute yi = fi(xi); 

3. Parse = Y and output Z = (C P0ST ® !„/) • Y. 

where ® denotes the Kronecker product and I n ' the identity matrix in F£ x ” . 

In the definition above we silently identified {0, 1}” with the vector space Fig . 
The map corresponding to (C PRE <g)/„/) will occasionally be denoted C PRE and its 
image Sr(C PRE ) C {0, 1 } rcn . It will be convenient for us to write the codomain of 
C PRE as a direct sum, so we identify {0, l} rcn with ©[ =1 V) where Vi = Fiji" for 
i= 1, . . . , r. If x\ £ Vi and x% £ Vj, then consequently x\ + x% will be in V\ ® V 2 . 
(This extends naturally to Li + L 2 when Li cVi,L 2 c V 2 .) 
Knudsen-Preneel compression functions. Knudsen and Preneel |4IRj intro- 
duced a family of hash functions employing error correcting codes. (We use the 
journal version |3j as our frame of reference). Although their work was ostensibly 
targeted at blockcipher-based designs, the main technical thread of their work 
develops a transform that extends the range of an ‘ideal’ compression function 
(blockcipher-based, or not) in a manner that delivers some target level of secu- 
rity. As is nowadays typical, we understand an ideal compression function to be 
a PuRF. In fact, the KP transform is a special instance of a blockwise-linear 
scheme (Definition EJ , in which the inputs to the PuRFs are determined by a 
linear code over a binary field with extension degree e > 1, i.e. W 2 e, and with 
C p °st b e i n g the identity matrix over (corresponding to concatenating 

the PuRF outputs) . The extension field itself is represented as a subring of the 
matrix ring (of dimension equalling the extension degree) over the base field. 
We formalize this by an injective ring homomorphism ip : F 2 e — *■ F| Xe and let 
£ p : F p e xfe — ► F pexfce be the component- wise application of ip and subsequent 
identification of (]F® Xe )' rxfc with F 2 ® xfce (we will use (p for matrices over F 2 e of 
arbitrary dimensions). For completeness, there is also a group homomorphism 
tl> : F 2 e — * F| such that for all g, h e F 2 e it holds that ip(gh) = ip(g) ■ ip(h). 

Definition 2 (Knudsen-Preneel transform). Let [r, k. d] be a linear code 
over F 2 e with generator matrix G £ F^ 1 ". Let ip : F 2 e — > F^ 6 be an injec- 
tive ring homomorphism and let b be a positive divisor of e such that ek > rb. 
Then the Knudsen-Preneel compression function H = KP fc ([r, k, d\ 2 e) equals 
H = BL b (C PRE , C post ) with C PRE = t p{G T ) and C P0ST = I rb . 

If H = KP b ([r, k, cl\ 2 e), then H n : {0, l} fccn — > {0, l} r " with c = e/6 is defined for 
all n for which 6 divides n. Moreover, H n is based on r PuRFs in Func (cn,n). 
For use of H in an iterated hash function, note that per invocation (of H) one 
can compress ( ck — r) message blocks (hence the requirement ek > rb ensures 
actually compression is taking place), and the rate of the compression function 
is ck/r— 1. We will concentrate on the case (6, e) £ {(1, 2), (2, 4), (1,3)} and then 
in particular on the 16 parameter sets given by Knudsen and Preneel 0 Since 6 
is uniquely determined given e (and c), we will often omit it. 


We note that our analysis is also valid for c = 5 (mimicking the MD4/5 situation). 
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Security notions. A collision-finding adversary is an algorithm whose goal is 
to find two distinct inputs W, W' that hash to the same value, so H (W) = 
H(W'). We will consider adversaries in two scenarios: the information-theoretic 
one and a more realistic concrete setting. For information-theoretic adversaries 
the only resource of interest is the number of queries made to their oracles. 
Otherwise, these adversaries are considered (computationally) unbounded. In 
the concrete setting, on the other hand, we are interested in the actual rimtime 
of the algorithm and, to a lesser extent, its memory consumption (and code-size). 

3 Prior Art on the Knudsen-Preneel Hash Functions 

Knudsen and Preneel’s security claims. Knudsen and Preneel concentrate 
on the collision resistance of their compression function in the complexity theo- 
retic model. Under a fairly generous (but plausible) assumption, they essentially 
show that if H = KP 6 ([r, k, rf] 2 ») , then finding collisions in H. n takes time at 
least 2( d_1 )"/ 2 . For preimage resistance Knudsen and Preneel do not give a cor- 
responding theorem and assumption, yet they do conjecture it to be essentially 
the square of the collision resistance. 

Knudsen and Preneel also present two attacks, one for finding preimages |01 
Proposition 3] and one for finding collisions |0l Proposition 4] (see results in 
Table GJ. Both attacks revolve around finding multi-preimages for the systematic 
part of the construction in sufficient numbers to make it likely that completion 
to the non-systematic part will yield a full preimage respectively a full collision. 

Watanabe’s collision-finding attack. Knudsen and Preneel left a consider- 
able gap between the actual complexity of attacks and their lower bounds in the 
case of collision resistance. Watanabe m has pointed out a collision attack that 
runs in time k2 n (and as many PuRF evaluations). Thus, for many of the pa- 
rameter sets, it beats the one given by Knudsen and Preneel. More interestingly, 
his attack serves as proof that the lower bound given by Knudsen and Preneel 
is incorrect for a large class of parameters: whenever r < 2k and d > 3, which 
involves 6 out of 16 parameter sets. (See also Table dj 

Assume that the code’s generator matrix is systematic, that is G = (Jk\P) 
with P £ F 2 * (r_fc) . Then the goal is to generate, for each i £ k}, a 

colliding pair of inputs Xi ^ x\ (and fi{xi) = fi{x'f)) in such a way that their 
completion to full ‘codewords’ satisfies x t = x\ for i £ {k + 1, . . . , r}. This is 
done by ensuring that Xi ® x\ = A where A = i A € F 2 e " \{0} is in the 
kernel of f(P T ) ® I n > (since r—k<k the kernel is guaranteed to contain a non- 
trivial element). Mutual independence of the inputs to the PuRFs corresponding 
to the code’s systematic part allow the initial collision searches to be mounted 
independently. Unfortunately, since the collisions need to be rather special (due 
to fixed Af s), the birthday paradox does not apply and a collision search costs 
about 2 n queries and time (per PuRF). On the plus side, the attack is trivially 
memoryless and parallellizable. 


Collision Attacks against the Knudsen-Preneel Compression Functions 


83 


Ozen-Shrimpton-Stam preimage- finding attack. An extensive security 
analysis for the preimage resistance of KP-constructions, falsifying the designers’ 
conjectured lower bound, has been provided by Ozen, Shrimpton, and Stam |Jj. 
Additionally, they also provided a related collision-finding attack with a surpris- 
ingly low query complexity: 2 rn /( 2k ) (but no analysis of its time complexity). 

At the core of the Ozen-Shrimpton-Stam attacks is the simple observation 
that (0 a || x\) ® (0° || X 2 ) yields a string of the form (0 a || X). More generally, 
any linear combination of strings with the same pattern of fixed zero bits will 
yield a string with the same form. By restricting PuRF queries to strings with 
the same (blockwise) pattern one can optimize the yield of these queries (i.e. the 
maximum number of KP compression function evaluations an adversary can 
compute for a given number of queries). Matching the yield with the size of the 
codomain (resp. its square root) gives rise to an information-theoric preimage 
(resp. collision) attack. 

A second observation is that, in the case of a preimage attack, the dual code 
can be used to find the preimage far more efficiently than a naive method. 
Direct application of this method however is disappointing (see Table HJ . The 
resulting time complexities are typically much higher than the corresponding 
query complexities and the attack is seldom competitive with that of Knudsen 
and Preneel, let alone with that of Watanabe. 

4 Decoding the Knudsen-Preneel Preprocessing 

An important property that is exploited by both Watanabe and OSS is linearity 
of C PRE . Indeed, the image $y(C PRE ) itself can be regarded as an efcn'-dimensional 
subspace of FI™’, or equivalently as an [ern! ,ekn' ,d '] 2 code C® (where the 
minimum distance d! is largely irrelevant; it satisfies d < d' < de). This has the 
consequence that if X = C FKE (W) and X' = C v ' RVj {W') collide, it is guaranteed 
that A = XCBX 1 6 A(C ,PRK ), i.e. the difference A itself is a (nonzero) codeword in 
C®. Below we will give a more detailed mathematical characterization of Sr(C PRE ), 
with a special eye towards the improved collision-finding algorithms we will give 
later on. Most of the results below are mathematically rather straightforward 
(and the proofs are left to the full version); the machinery is mainly needed to 
ensure that, when using canonical bases for the various vector spaces, everything 
lines up correctly and consistently with the actual Knudsen-Preneel compression 
function. 

Recall that we are given an injective ring homomorphism < p : F 2 « — > F| xe 
and a group isomorphism ip : Fge — ► Ff that satisfy ip(g)ip(h) = ip(gh) for all 
g,he F 2 e . Let [r, k, d] 2 “ be a linear code with generator matrix G e F^fy, let b 
be a positive divisor of e such that ek > rb and finally let n = bn' be a multiple 
of b. Then the input processing C PRE : {0, lj ekn ' — > {0, lj ern ' 0 f the Knudsen- 
Preneel compression function is defined by C PRE (W) = ( <p(G T ) <3 I„>) ■ W (and 
note that ern ’ = ran). 

Characterization of S(C PRE ) as a sum. We have already written the codomain 
of (7 PRE as a direct sum of PuRF inputs by identifying (0, l} ren with 0( =l Vj 
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where Vi = Ff n for i= 1, . . . , r. Here we will use a second interpretation that 
emphasizes the code. We will consider ®™ =1 Uj where Uj = F£e for j= 1, . . . , n! . 
Since F^e, and by extension ®" =1 Uj, is a vector space over F 2 « , whereas {0, l} ern 
is a stand-in for the vector space F| r " over F2, we cannot find a vector space 
isomorphism (as for the earlier direct sum). Nonetheless we can find a suitable 
group isomorphism from ®" =1 Uj to {0, 1 J ern '_ 

To define the group isomorphism we exploit that, luckily, the underlying F 2 <= 
arithmetic is essentially preserved by C PRE : {0, 1 } ekn — » {0, l} er " , even though 
the in C™ y {W) = (c p(G T ) 0 J n ») • W garbles things up. To formalize this, 

let p : Fje — *■ F|" be the group isomorphism such that p(gS) = (<p(g) 0 /„/ ) • p(5) 
for all 6 £ F£w and g £ F 2 e . 

As usual, we will extend p to e.g. r-tuples of elements in Fg e (and hence 
to vectors in Fff/) by component-wise application, i.e. p : ¥f. r —* F|" r . This 
suffices for a group isomorphism from ®" =1 Uj to {0, 1 } ern ' as well. 

Lemma 1. Let Iq C {1, . . . , r}, let C be the (quasi) shortening of C on Iq and 
let Cj =C' C Uj for j= 1, ... ,n'. Then X = Xi 6 9 ; (C' PRE ) with Xi = 0 for 
all i £ To iff 3 ! V 3 -«i gj = Y?i=i 9ji € Cj such that Xi = p(X)” =1 gjf). 

The following proposition develops the key idea on how to recognize that a given 
X £ F I™ is an element of Sy(C IPRB ). This result is exploited in jZj to efficiently 
find preimages for Knudsen-Preneel compression functions. 

Proposition 1. Let H = KP b ([r, k, d] 2 e), M £ ]p® XT ' e / 6 an d a nonzero X £ 
F| rn be given. Suppose that M = tp(h T ) for some h £ C^~, then X £ $J(C IPRB ) 
iff for all positive integers n! it holds that ( M 0 /„>) ■ X = 0. 

Since TlfJ is isomorphic (as vector space over F 2 e) to the tensor product F(,„ 0 
F^e this leads in a natural way to a function from F 2e x F^e to {0, 1 } ren by 
considering pure tensors g® S with g £ F£ e and 6 £ F£e . Note that we do not 
discriminate between different representatives, that is for nonzero (3 £ F 2 ,- we 
have that g®6= ( (3g ) 0 (/ 3~ l 5 ). 

Lemma 2. If g £ F£ e and S £ F£e then p(g ®S)£ Sy(C PRE ) iff g £C or S = 0. 
The following lemma states that invertibility of Gf suffices to invert C PRE . 

Lemma 3. Let G be a generator matrix for an [r, k, d] 2 e code. Letl C {1, . . . , r} 
be such that Gj- is invertible, with transposed inverse Gf. T . Let n' be an integer 
and, for i= l,...,r, let V) = F|" be a direct- sum- decomposition of FI™ as 
before. If given Xi £ V. for i £ I, or equivalently X = th en 

W = {(p{Gf. T ) 0 40 ■ W 

is the unique element for which X ’ = C ¥SE (W) satisfies x\ = x^ for i £ T. 
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Algorithm 1 (Revised Watanabe Collision Attack). 

Input: H = KP 6 ([r, fc, d] 2 «) satisfying d < k. a nonzero g E C C Ffy with 
|x(s)l < k, a block size n = bn ' , and an arbitrary nonzero 6 E F^e. 
Output: A colliding pair ( W,W ') E ^{0, l} efcn ^ such that H n (W) = 
Hn{W'), W=£W' and C PKE (W) ® C vm {W') = p(g ® £). 

1. Initialization. Compute A <— p(g 0 S ), set X <— xid) and determine 
X D X for which G% is invertible. 

2. Query Phase. For ieldo 

a. Generate a random Xi *— Vi(= FI” ) and set x\ *— Xi © Ai\ 

b. Query yi <— fi(xi) and y[ <— fi(x'i)-, 

c. If yi = y'i then keep (x-i, x'i) and proceed to next i, else return to a. 

3. Degrees of Freedom. For i e X\X pick x, Vi and set x[ <— x t . 

4. Finalization. Output ( W,W' ) where 

(<p(G^ T )®I n/ )-(J2 x J and w ' ^ ■ 

iex iex 


5 A New Symbiotic Collision-Finding Attack 

5.1 Revising Watanabe’s Attack 

Watanabe’s attack has complexity k2 n , requires k > r — k and essentially finds 
a single collision. Below we give a revised and improved version of his algorithm. 
It only has complexity d2 n , requires k > d and it potentially results in many, 
many collisions. More precisely, if k > d then after the initial effort (of d2 n ) we 
can find a new collision in constant time, for up to a whopping 2^ k ~ d ^ n collisions. 

In his note, Watanabe describes his attack as a differential attack. Where 
originally A was computed as some non-trivial kernel element, we will compute 
it based on a codeword g £ C of sufficiently low weight and an arbitrary (nonzero) 
‘block multiplier’ S. In particular, we will set A = p(g ® d). By using a minimal 
weight codeword the attack performs best. 

For the revised attack to work, we need one further ingredient. Watanabe 
assumes a systematic code and exploits that, when k < r — k, there exists a 
nonzero codeword g £ C for which x{ ( j) S {!■ ■ ■ ■ ■ k}. This allows easy com- 
pletion of a partial collision to a full collision. Our revised version allows an 
arbitrary (nonzero) codeword g of weight at most k (existence of which requires 
d < k). Thus xio) might no longer map to the systematic part of the code. 
Luckily, Lemma 0 provides completion to a full collision, provided I = x{q) is 
admissible. For MDS codes all codewords are admissible; for the four non-MDS 
codes proposed by Knudsen and Preneel it can be verified that the minimum 
distance codewords are admissible. 

Theorem 1 (Revised Watanabe attack). Let H = KP b ([r, k, d] 2 «) be given 
with d< k. Consider H n (with b\n). Then Algorithm^ using a minimum-weight 
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Algorithm 2 (New Symbiotic Collision Attack). 

Input: H = KP b ([r, ft, d] 2<0 satisfying d < ft, ajeCC F£e with |x(g)| = d, 
and a block size n = bn' . 

Output: A colliding pair ( W,W ') G ^{0, l} efcn ^ such that H n (W) = 
H„{W'), W / W' and C F,m (W ) ® C FRE (W') = p(g ® 8 ) for some nonzero 
8 G FJe to be determined. 

1. Initialization. Set a = d/(d + 1),T = x(g) and determine T. Let g = 
(gi, g r ) with gi G Fa* for i= 1, . . . , r. 

2. Query Phase. Define 

* = ({ 0 }£-^x{o,i}^r 

and, for i G I let Qi = X <zV t . Query f % V x,; G Qi and store the results. 

3. Local Collision Detection. For iGl create a list L t of all tuples 
(g^ 1 -p~ 1 (xi®x' i ),xi,x' i ) satisfying Xi, x [ G Qi,x t ^ x[ and fi(xi) = 

4. Global Collision Detection. Find a set of |x(g)| tuples in the respec- 
tive Li that all share the same first element. That is, for some 8 G F£e 
and (xi,x'i)iex it holds for all* G T that (8,Xi,x'i) G Li. 

5. Degrees of Freedom. For i e T\X pick xt Vi and set x[ <— Xi. 

6. Finalization. Output ( W , W ') where 

W (<p(G- T )®I n ,)-(J2 Xi) and W' - {<p{Gf)®I n ,y(£ 4) ■ 

mi mi 


codeword g ( and an arbitrary nonzero 5 ) finds collisions for H n in expected time 
d,2 n (using as many PuRF evaluations). 

5.2 A New Symbiotic Attack 

Our revised version of Watanabe’s attack clearly shows that an attacker poten- 
tially has a lot of freedom. Below we transform some of this freedom into a faster 
attack. More to the point, as in the revised Watanabe attack we still look for a 
collision with differential A = p(g 8 S) and fix the codeword g G C, but we do 
not fix the multiplier 6 up front. Instead we determine it based on the outcomes 
of the queries we make. To increase our success probability, we restrict to the 
same kind of queries as Ozen, Shrimpton, and Stam did. 

Theorem 2 (Symbiotic attack). Let H = KP b ([r, ft, d] 2=) be given with ft > d. 
Consider H n (with b\n). Then Algorithm^ finds collisions for H n in d2 dn ^ d+1 ^ 
time (using as many PuRF evaluations) and memory (expressed in n-bit blocks). 

Proof (Sketch). We will leave showing the correctness of Algorithm 0 to the full 
version of this paper |B| and only prove here that a collision is expected and that 
the query and time complexities are as claimed. 

Since \X\= 2 an by construction, the attack has the stated query complexity 
(per PuRF) for a = d/(d + 1) since all queries are made during the Query 
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Phase. Using a naive approach, Local Collision Detection step can be 
performed in roughly 2 dn /( d+1 ) comparisons resulting in partial collision lists of 
expected cardinality \L(\ w for i £ 1. 

For Global Collision Detection, we just enumerate one partial collision 
list and check for membership against the others. Assuming constant time mem- 
ory access, the time complexity of this step is at most ( d — 1) max^j L, ; | . Since 
a < 1 it follows that 2a — 1 < a making the Query Phase dominant with its 
time complexity of 2 an . 

Since we have d active PuRFs in total, the probability of finding a common 
element among d such lists is then |Lj|)/|Af| d_1 , or 2^ 2a ^ 1 '> d ~ OL ^ d ~ 1 ^ n . To 
ensure an expected number of collisions of one, we need the second exponent to 
be at least zero, and indeed, solving for zero gives the desired a = d/(d+ 1). □ 


6 A Parametrized Collision-Finding Attack 


6.1 Optimizing the Query Complexity 

The symbiotic attack and the information-theoretic attack by Ozen, Shrimpton, 
and Stam have completely different query complexities and which one is the best 
seems very parameter dependent. However, it turns out that both attacks are the 
extreme cases of a more general parametrized attack, as given by Algorithm 0 

Theorem 3. Let H = KP b ([r, k, d\&) be given. Consider H n (with b\n). Then 
collisions for H n can be found with Alg. 0 using 2 an queries (per PuRF) where 


a 


(i / (2k — 9) for 0 < 9 < min(r — d,r — k) ; 
9)/(r + k — 29) for r — k<9<r — d. 


Proof. That the attack has the stated query complexity follows readily from the 
usual observation that \X\ = 2 an combined with the computation of a exactly 
matching the theorem statement. What remains to show is that collisions are 
indeed output and expected with good probability. 

For correctness, let (W, W) be output by the algorithm and consider X = 
C v ' lv (W) and X 1 = C VRE (W'). First, notice that Lemma0implies that projecting 
(W © X',X, X') onto Vi is in Lf. Now, either of the steps Degrees of 
Freedom, Filtering or Skip ensures that ( A,X,X ') e Lx. Finally, since 
Lx C Lx it follows that (xi,x'f) £ Li for i 6 T and hence by construction 
(Local Collision Detection) we have f t ( Xi) = fiix'f) for those i. 

Moreover Collision Pruning guarantees that A + 0 e T'(C PIU ' ; ) and De- 
grees of Freedom ensures that the projections of A + 0 and X © X' onto 
©i£i Vi are equal. Hence, Xi = x\ for all i G To- 

Let us move on to the number of expected collisions output. Since Tj = 2“ n , 
the expected number of local collisions found per active PuRF for i s I is 
\Li\ w |T| 2 /2" = 2( 2 “ -1 ) n . Using that |X| = r — 9 we arrive at a total number of 
potential collisions of \Lx\ ~ 2^ 2 “ _1 ^ r_e ^ n . For a true collision to occur, we need 
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Algorithm 3 (Parameterized Collision Attack). 

Input: H = KP 6 ([r, k, d] 2<0, an index set To C (1, . . . , r} with 9 = |Xo| and 
0 < 9 < r — d, and a block size n = bn'. 

Output: A colliding pair {W,W') € ^{0, l} efcn ^ such that H„(W) = 
Hn(W'),W + W', and if X = C™{W) and X' = C VRE {W') then for 
all i € To it holds that x% = x\. 

1. Initialization. Set T <— {1, . . . , r}\Xo, determine X, and set 

j(r- 9) /{2k -9) for 0 < 9 < min(r -k,r-d) ; 

\{r-9)/{r + k-29) for r-k<9<r-d . 

2. Query Phase. As in Algorithm |3 

3. Local Collision Detection. For i e T create a list of all tuples 
{xi ® x'^xux'/) satisfying x it x' ( 6 Qi, an ^ x\ and /<(»») = fi{x’i). 

4. Merge Phase. Create L x = {S iex {Ai,Xi, x’ t ) \ an, xi) € L t } . 

5. Collision Pruning. Create L x consisting precisely of those elements of 
L x whose first vector (when mapped to the full space) is in $>(C PSB ); 

L x = | (4 X, X') I (A, X, X') e Li A A + 0 e S(C rBE ) j . 

6. Filtering. If T c T then only select {A, X, X') 6 L x for which X is 
in the projection of $>(C PRE ) onto ® lfI Vj. Create L x by projecting the 
selected elements in L x to the subspace © i6X Vj- 

7. Degrees of Freedom. If T c T, then for i e T\T pick Xi 4 Vi and set 
x\ *— x,. Create T x by adding ^2 iexnXo {0, xi) to all elements in L x . 

8. Skip. If T = T set L x <- L x . 

9. Finalization. For some {A, X, X') € T x output ( W , W ') where 

(£(G~ T )®/ n ,)-X and W'^(<p(G~ T )®I n ,)-X' 


to find a tuple ( Xi , such that both Xi arl( i J2iex x i can completed 

to codewords subject to the constraint that Xi = x\ for % G Tq. 

If the eventual collision consists of (X, X'), then A = X © X’ is a codeword 
as well and the above implies that 4 = 0 for i £ To- Hence, Lemma [D applies 
and A = 4 somehow ‘spanned’ by the shortened code. The restriction 

0 <r — d ensures nontriviality of the shortened code (shortening any further and 
the shortened code would consist of the zero codeword only resulting in W = 
W' , so no collision). In case of MDS codes, the shortened code has parameters 
[r — 6,k — 6, d'] 2 «, in particular it has dimension k — 6. (For non-MDS codes it 
is possible that a higher dimension is achieved.) 

As a result, a fraction 2^ k ~ r > an of the differentials will be satisfactory, leading 
to an expected number of \Lx\ 2(( 2 “ -1 )( r-0 ) -Q: ( r ' -fe ))". If I C T or equivalently 
r — 0 < k we are done whenever \Lj\ > 1. Since r — 0 < k can be rewritten to 
0 > r — k we are in the second case, with a = {r — 0)/{r + k — 20). Writing 
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F = (lg \Li\)/n and substitution lead to F w (2a — 1 )(r — 9) — a(r — fc) = 
a(2r — 26 — r + k) — (r — 9) = 0 or \L X \ « 1 as desired. 

If on the other hand Icl, further filtering is needed. In particular, given 
a potential ‘half’ of a collision X we need to check if it can correspond to a 
codeword. Since I C 1, we can uniquely complete I to a codeword given k 
of its elements (all within I). The remaining \1\ — k coordinates need to be 
in sync. Per remaining element, this occurs with probability 2 _cm , leading to 
|;%| « \L X \ ■ 2~ an ^ r ~ e ~ k \ Now we are in the first case since 0 < 9 < r — k. 
Writing F = (lg L x )/n, we obtain F w ((2a— 1 )(r—9) — a(r—k)) — a(r—6—k) = 
a(2k — 6) — (r — 6). Since we aim for F = 0, a = (r — 9)/ (2k — 9) as desired. □ 

Corollary 1. Assuming d < k, substitution of 9 = r — k in Theorem 0 gives 
a = k/(3k — r ). This is optimal (for Algorithm 0) whenever r < 2k. 

Proof. That the substition does what it says can be readily verified, so we restrict 
ourselves to prove the optimality here. Let fi(9) = (r — 9) /(2k— 9) and fiid) = 
(r — 9)/ (r + k — 29) be two real valued functions defined over closed intervals 
0 < 9 < r — k and r— k<9<r— d respectively. Note that both fi(0) and 
fi(9) are continuous in their respective domains (since their respective poles 
fall outside the domains). So both fi(9) and f% (9) attain their maximum and 
minimum in the closed intervals [0,r — k) and [r — k,r — d) respectively. Since 
f[(9) = (r — 2k) / (2k — 9) 2 < 0 (for r < 2k) and f 2 (9) = (r-k)/(r + k-29) 2 > 0 
we can conclude that fi(9) is decreasing and fiid) is increasing. Therefore, they 
both attain their minimum at their shared boundary 9 = r — k. □ 

Remark 1. The only two parameter sets proposed by Knudsen and Preneel not 
satisfying the conditions of the corollary above are [4, 2, 3]g and [5, 2, 4]g. In both 
cases d > k and only fi(9) is applicable. For [5, 2, 4]§ one can check that 2k < r 
and f[(9) > 0. Hence, the minimum a is attained at 9 = 0. For [4, 2, 3]g it holds 
that 2k = r, so that fi(9) is in fact a constant function and both 9 = 0 and 
9 = 1 lead to the same a. 

Remark 2. Substitution of 9 = 0 in Theorem0gives a = r/ (2k) and the resulting 
query complexity coincides with that reported by Ozen, Shrimpton, and Stam. 
On the other extreme, substitution of 9 = r — d gives a = d/ (2d — r + k) 
(assuming d < fc). For MDS codes this simplifies to a = d/(d+ 1), this time duly 
coinciding with our symbiotic attack. For non-MDS codes there seems to be a 
slight mismatch. The reason is that if a non-MDS code is maximally shortened 
(by 9 = r — d), the shortened code has dimension 1, whereas in the derivation of 
Theorem 0 we pessimistically assumed fc — 9 = 0 (at least for the KP non-MDS 
codes that satisfy r — d = fc). Correcting for this looseness would result in a 
match with the symbiotic attack. 


6.2 Generic Collision Attack against MDS Constructions 

If we want to run Algorithm0(with fixed 9 = r—k and a = fc/ (3k— r) as obtained 
in Corollary CJ we ideally want a time complexity almost coinciding with the 
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targeted query complexity. For 6 = r — k it holds that 1 = 1, obviating the need 
for the steps Filtering and Degrees of Freedom. We have already seen 
that Local Collision Detection costs at most a small logarithmic factor, 
which leaves only the Merge Phase and Collision Pruning to worry about. 
Together, these two steps are designed to produce Lx- A naive approach would 
enumerate all elements in the much larger Lx, which is wasteful. Our task is 
therefore, given the lists of partial collisions Lj for i £ 1, to create Lx more 
efficiently. 

In the sequel, we will follow in the footsteps of Ozen, Shrimpton, and Stam 
who used the dual code in a similar problem related to their preimage-finding 
attack. An important innovation for the collision-finding attack stems from the 
realization that A can be regarded as belonging to the (quasi) shortened code. 
This allows the use of the dual of the shortened code to speed up the search. As 
the minimum distance of the dual code is an important parameter in determining 
the overall time-complexity and shortening a code reduces the minimum distance 
of its dual accordingly, we make a significant efficiency gain this way. 

Road map. We present our collision attack against Knudsen-Prennel compression 
functions whose C PRE is based on MDS codes in Alg. 0| whereas its analysis is 
given in Thm. 01 We leave the generalization of our attack to (KP-suggested) 
non-MDS parameters together with the proof of Thm. 0| to the full version of 
this work where we also investigate a more space efficient version of Alg. 0 

Reducing the Time Complexity. Since 1 = 1 and 0 = r — k, we know 
from Algorithm 01 that it is enough to find a nonzero A £ 3((7 PRK ) of the form 
A = A' + 0 for A' = Yliex ^ complete the collision. Now notice that A' 
is lying in a smaller space A(C" PltK ) identified by C' that is the [r — 9,k — 6, d'] 
shortened code obtained from C (by dropping the zeroes of the codewords from 
all the positions appearing in 1q). This observation allows us to guarantee that 
A £ S((7 PRK ) once we determine that a candidate A' is in A(C /PRK ). Hence, it is 
enough for our purposes to limit ourselves to S(C" PRE ) rather than looking for 
membership in the larger space S(C PRK ). 

To this end, we first identify an index set ly C {1, . . . , r} (the role of h' will 
be explained momentarily) defining a subspace ® ieI , ^ f° r which SJ(C' ,PRB ) 
when restricted to this subspace, is not surjective. As a consequence, we will 
be able to prune significantly the total collection of candidate A's keeping only 
those that are possibly in A(C ,PRP: ) (restricted to ® i6l , Vi). In the sequel, we 
will show how to efficiently find an index set ly , and how to efficiently prune. 

An important parameter determining the runtime of our collision attack is 
d ,J ~, the minimum distance of the dual shortened code. Let x be the function 
that maps b! £ to the set of indices of non-zero entries in h! . Thus, C 
{1, . . . , r} and \x(h')\ equals the Hamming weight of the codeword h! . 

An easy adaptation of Proposition 0 shows that if we are given a codeword 
h! 6 C ,J ~ and an element A’ £ jp( r ~ 0 ) e ” ; then A ' can only be in Sj(C' ,PRB ) 
if (c p(h ' T ) (8 ) I n >) ■ A’ = 0, where the only parts of A’ relevant for this check 
are those lining up with the nonzero entries of b! . Indeed, an element A' h , £ 
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Algorithm 4 (Collision Attack against MDS-based schemes). 

Input: H = KP 6 ([r, k , d] 2 «), an index set Jo C {1. .... r} with 6 = |Jo| = r— k 
and a block size n = bn' . 

Output: A colliding pair ( W,W ') £ ^{0, l} efcn ^ such that H n (W) = 
Hn(W), W ^ W' , and if A = C PRE (IF) and X' = C PBE (W') then for 
all * £ Jo it holds that a \ = x\. 

1. Initialization. Set J <— (1, . . . , r}\J 0 (with |J| = k), J = J, and set 
a <— k/(3k — r). Obtain C consisting of codewords g' £ C' that are 
constructed from g £ C by dropping zeroes of g from all the positions 
appearing in Jo. 

2. Query Phase. As in Algorithm 0 

3. Local Collision Detection. As in Algorithm 0 

4. Merge Phase. Find a nonzero codeword h! £ C' of minimum Hamming 
weight d' ± == 2k — r + 1. Let b! = h' 0 + h'x with x(^o) H x(h'i) = 0 and of 
Hamming weights \d' x /2\ and |_«"/2j respectively. Create for j = 0, 1, 



both sorted on their fourth component. 

5. Join Phase. Create L h i consisting exactly of those elements A' h , + A' h , 
for which (A' h , X o, Xq, Yo) £ L*/ , ( , Xi , X[ , Y%) £ L h[ and Yo = Yi. 

6. Collision Pruning. For all (A' h ,,X,X') £ L h < create the unique A' 
corresponding to it and check whether it results in Ai £ L, for all i £ J(= 
J). If so, keep A' = J2 ie ±Ai in Lx- Formally 

%== %+ J2 L *\ A ' e »(C" raB )| • 

7. Skip. & 8. Finalization. As in Algorithmic 


Y^iex(h') Li can be completed to an element in the range of derived mapping 
C ,FR E iff ( <p(h ,T ) 0 I n ' ) • (A y + 0) = 0. Efficient creation of 

Lh’ = \ (A' h ,,X,X f ) G ^ I {v(h ,T ) 0 I n >) • {A! h , + 0) = 0 

[ iexW) 

can be done adapting standard techniques j2H3|ll| by splitting the codeword 
in two and looking for all collisions in respective entries. That is, assume that 
h' = h' 0 + h\ with x(^o) H = 0) and define, for j = 0,1 

(X h , , Xj,Xj, (ip(hf) 0 I n .) ■ (A' h , + 0)) | {A ' h , , Xj,X') G Y, Li 

iexih'j) 



lh' = 
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Then Ly consists of those elements A' h , + A' h , for which (A ' h , . Xq, X(. Yq) G 
L k , (A h , t Xx,X[,Yx} € L k and Y 0 = Y°. 

By sorting the two L ’s the time complexity of creating Ly is then roughly 
the maximum cardinality of the two sets L y and Ly . Hence, the main trick to 
reduce the time complexity is to minimize the Hamming weights of h r 0 and h \ , 
which is done by picking a codeword h! G C ,J - of minimum distance d! and split- 
ting it (almost) evenly. As a result, for the partial collision lists of (almost) same 
cardinality S, Ly can be constructed in S^ d / 2 1 time using S L d / 2 J memory 
(ignoring inconsequential factors). We summarize our analysis in Thm. 0 

Theorem 4. Let H = KP 6 ([r, k , d]- 2 >-) be given and C be a shortened [r — 6,k — 
0, d\ 2 e code derived from C for 6 = r—k. Let d! be the minimum distance of the 
dual code ofC. Suppose C is MDS (so is C with d r± = 2k — r+ X) and consider 
the collision attack described in Alg. |^| run against H n using q = 2 an queries for 
a = k/(3k — r). Then the expected number of collision outputs is equal to one 
and the expectations for the internal list sizes are (for i G I): 

| ^ | = 2( 2a - 1 )" , \L h ,\ = 2 ((2“- 1 K J --a)™ f 
\L k \=2^~^>, \L k \=2^^ 

The average case time complexity of the algorithm is max ^ q , | L^J, |L/j/|^ with 
a memory requirement of max ^ q , |L^^ (expressed in cn-bit blocks). 


7 Conclusion 

In this paper we provide an extensive security analysis of the Knudsen-Preneel 
compression functions by focusing on their collision resistance. We present three 
improved collision attacks namely the revised Watanabe, symbiotic collision and 
parametrized collision attacks. Our new attacks work with the least number 
of queries reported so far. Moreover, except for only one out of 16 suggested 
parameters, these attacks beat the time-complexity of any prior attack we are 
aware of. 

Acknowledgments. We thank Joachim Rosenthal and Thomas Shrimpton for 
their useful comments and suggestions. 
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Abstract. “Generic” Unbalanced Feistel Schemes with Expanding 
Functions are Unbalanced Feistel Schemes with truly random internal 
round functions from n bits to ( k — l)n bits with k > 3. From a practi- 
cal point of view, an interesting property of these schemes is that since 
n < (k— l)n and n can be small (8 bits for example), it is often possible 
to store these truly random functions in order to design efficient schemes 
(example: CRUNCH cf 0). Attacks on these generic schemes were stud- 
ied in U| and |l 8| . As pointed in [Jj and |1 81 . there are surprisingly 
much more possibilities for these attacks than for generic balanced Feis- 
tel schemes or generic unbalanced Feistel schemes with contracting func- 
tions. In fact, this large number of attack possibilities makes the analysis 
difficult. In this paper, we shall methodically analyze again these attacks. 
We have created a computer program that systematically analyze all the 
possible attacks and detect the most efficient ones. We have detected a 
condition on the internal variables that was not clearly analyzed in , 
and we have found many new improved attacks by a systematic study 
of all the “rectangle attacks” when k < 7, and then we have general- 
ized these improved attacks for all k. Many simulations on our improved 
attacks have also been done and they confirm our theoretical analysis. 

Keywords: Unbalanced Feistel permutations, pseudo-random permuta- 
tions, generic attacks on encryption schemes, Block ciphers. 


1 Introduction 

A classical way to construct permutation {0, 1}^ to {0, 1}' V is to use Feistel 
schemes with d rounds built with round functions /i , . . . , /<j. In order to get 
“Random Feistel Scheme”, these round functions need to be randomly chosen. 
“Generic attacks” on these schemes are attacks that are valid for most of the 
round functions. 

The most usual Feistel schemes are when N = 2n and the functions /,■ are 
from {0, 1}" to {0, l} n . Such schemes are called “balanced Feistel Schemes” and 
they have been studied a lot since the famous paper by M.Luby and C.Rackoff 

M. Abe (Ed.): ASIACRYPT 2010, LNCS 6477, pp. Ol jlllJ 2010. 
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HZ- Many results have been obtained on the security of such classical Feistel 
schemes (see HZ! for an overview of these results). When the number of rounds 
is lower than 5, we know attacks with less than 2 JV (= 2 2 ") operations: for 5 
rounds, an attack in 0(2") operations is given in m and for 3 or 4 rounds an 
attack in \/2" is given in |Tj . j 1 4j . When the functions are permutations, similar 
attacks for 5 rounds are given in jBj and Hm ■ Therefore, for security, at least 6 
rounds are recommended, i.e. each bit will be changed at least 3 times. 

When N = kn and when the round functions are from (k — 1 )n bits to n 
bits, we obtain what is called an “Unbalanced Feistel Scheme with contracting 
functions”. In HZ!, M.Naor and O. Reingold give security when for the first and 
the last rounds pairwise independent functions are used instead of random con- 
tracting functions. In m security proofs for these schemes are also proved. At 
Asiacrypt 2006 ((GUI) generic attacks on such schemes have been studied. 

When N = kn and when the round functions are from n bits to ( k — 1 )n 
bits, we obtain what is called an “Unbalanced Feistel Scheme with expanding 
functions” , also called “complete target heavy imbalanced Feistel networks” (see 
my Generic attacks on Unbalanced Feistel Schemes with expanding functions 
is the theme of this paper. One advantage of these schemes is that it requires 
much less memory to store a random function of n bits to (k — l)n bits than 
a random function of ( k — l)n bits to n bits. Unbalanced Feistel Schemes with 
expanding functions together with the Xor of random permutations have been 
used in the construction of the hash function CRUNCH for the cryptographic 
hash algorithm competition organized by NIST in 2008 (cf (Sj). Our results give 
a lower bound for the number of rounds used to construct this hash function. 

Other kinds of Feistel Schemes are used for well known block ciphers. For ex- 
ample, BEAR and LION |2] are two block ciphers which employ both expanding 
and contracting unbalanced Feistel networks. The AES-candidate MARS is also 
using a similar structure. 

Attacks on Unbalanced Feistel Schemes with expanding functions have been 
previously studied by C.S. Jutla ([Zj) and improved attacks were given in [T%| . 
However some of the attacks presented in [El need too many conditions on 
the internal variables. These attacks work, but with weak keys. In this paper, we 
make a systematic study of the equations between the internal variables to avoid 
unlikely collisions on the round functions. Thus we get additional conditions. 
Nevertheless, with more conditions, we show that it is still possible to attack the 
same number of rounds as in jl . In Known Plaintext Attacks (KPA), we obtain 
the same complexity except for d = 3k— 1 where our complexity is slightly greater 
than in [ I but we do not have too many conditions on the internal variables. 
For Non- Adaptive Chosen Plaintext Attacks (CPA-1), we give a general method 
to obtain CPA-1 from KPA. Then we get complexities that are, most of the time, 
better than the ones in 1 1 8| . We also show that the best CPA-1 are not derived 
from the best KPA. For k < 7, we have generated all the possible attacks, thus 
the attacks presented here are the best possible attacks. We believe that the 
generalization of these attacks for any k still gives the best possible attacks. We 
also provide simulation results for k = 3. 
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The paper is organized as follows. First we introduce some notation and def- 
initions. Then we give an overview of the attacks. In Section 0 we show how 
we have generated all the possible attacks for k < 7. In Section 0 we introduce 
the different kinds of attacks we will used. These attacks named TWO, Rl, R2, 
R3 and R4 generalize the attacks of j l S| . Then in Section El we present Rl, R2 
KPA attacks. In Section 0 we show how to get CPA-1 from KPA. In Section 0 
we study Rl and R2 CPA-1 and we give the results of our simulations. Finally, 
all the results are summarized in Section 0 

2 Notation 

2.1 Unbalanced Feistel Schemes Notation 

We first describe Unbalanced Feistel Scheme with Expanding Functions F£ 
and introduce some useful notations. F£ is a Feistel scheme of d rounds that 
produces a permutation from kn bits to kn bits. At each round j, we de- 
note by fj the round function from n bits to (k — l)n bits, fj is defined as 
fj = f!j?\ ■ ■ ■ where each function fjfi is defined from {0,1}” 

to {0,1}". On some input [!}, I 2 , . ■ . , Ik], Fj} produces an output denoted by 
[Si, £2, • • • , Sfc] by going through d rounds. At round j, the first n bits of the 
round entry are called A- 7-1 . We can notice that I\ = A 0 . We compute fj( A- 7-1 ) 
and obtain ( k — 1 ) n bits. Those bits are xored to the ( k — 1 )n last bits of the 
round entry and the result is rotated by n bits. 

The first round is represented on Figure 1 below: 


n bits (A; — l)n bits 


|a°|u 

i*i 

1^ 

ifc 

(k - 1 )n bits ^ 







1 

?Tr n 

M 1 

M 


Fig. 1 . First Round 


A° = h 

A 2 = h ® f { x\h) © fPiX 1 ) 

X 3 = h® 0 /j 2) ( A 1 ) © £\X 2 ) 


We have 
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More generally, we can express the X 3 recursively: 

V? <k,x* = i m 4 

> o, x k+ s = x* © /ii.7 f+1) (x« +< -' 1 ) 

i=2 *** 

After d rounds (d> k+ 1), the output [Si, £2, , Sfc] can be expressed by using 
the introduced values X 3 : 


S k = x*- 1 

Sk-i = x d ~ 2 ® f < ^~ 1 \x d ~ l ) 

S k -2 = x d ~ 3 ffl f£i 1 Hx d -*l © f { d~ 2 \x d ~ l ) 

s x d - l ~ k +t % l /«+ d " i - 1 >(X 1 ) 

i=d-k+£ 


S 1 = x d ~ k V /^(A*) 

i=d— k+1 

We don’t need another notation, but for a better understanding we introduce a 
notation for the intermediate values. After round p, we obtain [Mf , Mf , . . . , Mf]. 
So we have Mf = W\ and for all i € (1, 2, . . . , &} M? = I t and Mf = S*. 

2.2 Differential Attack Notation 

Our attacks use sets of points. A point is a plaintext/ciphertext pair. The total 
number of points gives us the complexity of the attack. From the set of points 
we extract all the ^-tuple of distinct points P(l), P( 2) . . . P(<p), and we count 
how many 92-tuple verify some equalities (see Figure 0 for an example). 

Now, we can describe an attack with a differential path. With the path we can 
explain why the number of 92-tuples that match the conditions is more important 
for a F d scheme than for a random permutation. We introduce more definition. 


Horizontal conditions 


\m 

5(1) p 

Vertical 

s 3 w=s 

conditions 

hW=i'. 

\m 

s( 2 yi. 


/i(l)=/i(3) . 



5(3) P 


Ss(3)=£ 


I 2 (3)=r 




7i(3) = 7 1 (5) 


-1(5) 

5(5) | 


S 3 (5)=£ 
A (5 )=1 


5^1 


Fig. 2. Example of equalities for tp = 6 
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After p rounds, we define “horizontal equalities” on part Mi of the output M 
as Mf (1) = Mf (3) = . . . = Mf(<p - 1) and Mf (2) = Mf (4) = . . . = Mf fyfy 
Let £ = § — 1- “Vertical equalities” on part Mi are given by Vj, 0 < j < 
t. Mf(2j + 1) = Mf (2j + 2). We also define “differential equalities” on part Mi 
by Vj, 0 < j < t - 1, Mf(2j + 1) © Mf(2j + 2) = Mf{2j + 3) 0 Mf(2j + 4). 
Notice that when we have the differential equalities, in order to get the horizontal 
equalities, it is enough to have the first sequence of equalities, and for the vertical 
equalities, it is enough to get only the first one. When we impose some equalities, 
we call them conditions (they are satisfied with probability T-). This may imply 
that other equalities will be satisfied with probability 1. On the input and output 
variables we will always have £ differential conditions and either horizontal or 
vertical conditions. On the internal variables, we will get horizontal or vertical 
equalities and moreover we will impose more vertical or horizontal conditions. 
We need to always have differential equalities. When we impose new conditions 
on the internal variables, we must check that we do not add too many of them. 
We now give an example with an attack over the Ff scheme. See Table [I] 


Table 1. F® attack 


i (round) 

Mi(2j+l)®Mi(2j+2) Mi(2j+l)®Mi(2j+2) M^{2j+l)®Ml(2j+2) 

0 

0 

0 

Ai 

1 

0 

Ai 

0 

2 

•Ai 

•0 

0 

3 

■A 2 

a 3 

.Ai 

4 

0 

.0 

■A 2 

5 

0 

a 2 

0 

6 

a 2 

0 

0 


The in this table means that there are horizontal equalities or conditions. 
The “0” in the table means that there are vertical equalities or conditions. This 
notation will be used for any attack. We can count the total number of conditions 
for the different part: nj = 2>l + 2 (number of input conditions), rix = 21+2 
(number of internal conditions), ns = 3£ + 2 (number of output conditions). 
If a </>-tuple follow the path, i.e. if it satisfies both the input and the internal 
conditions, then it will verify the output conditions. But there exist other ways 
to verify both these output conditions and the input conditions. So, we can prove 
that the number of t^-tuple will be greater for a Ff permutation. 

3 Example: CPA-1 Attack on F® 

We present here a first example where we have obtained a new and better attack 
than previously known for F® . In the next sections a complete analysis will be 
given for more general parameters. This attack is the one described in Table Q] 
with p = 4 and so i = 1. Figure E3 illustrates this attack. It explains the terms 
of horizontal and vertical equalities. Moreover, conditions are represented by a 
solid edge and equalities that are automatically satisfied by a dotted edge. 
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We will generate all the possible messages [h, I 2 , I3] such that I\ = 0 and the 
first n/2 bits of I 2 are 0. So, we will generate exactly m = 2 3 "/ 2 messages. How 
many 4-tuple of points will verify the input conditions ? For the first message 
we have m possibilities. For the second we have only 2" possibilities because h 
and I 2 are imposed by the first message. For the third point we have again m 
possibilities, and then we have no choice for the last point. Therefore there are 
to 2 x 2” = 2 4n 4-tuple of points that satisfy all the input conditions. For a Ff 
scheme, each of these tuple will satisfy at random the 4 internal conditions with 
a probability equal to 1/2 4 ". So, the expected number of 4-tuples that satisfy 
also the output conditions will be approximatively 1. Since there are 5 output 
conditions, the expected number of 4-tuple that satisfy the input conditions and 
the output conditions will be much lower for a random permutation. So, this 
CPA-1 attack will succeed with a high probability. We have found here a CPA-1 
attack with 0(2 3 "/ 2 ) complexity and 0( 2 3 ”/ 2 ) messages. This is better than the 
0(2 5 "/ 3 ) found in jTSt . To find this complexity we can also use Table 0 with 
r = 2, n x = 4, £ = 1 and k = 3. 

Moreover we have checked that all the other path conditions are verified (see 
Section EJ) and this attack has been simulated by computer. For example, with 
n = 10 and 1000 attacks, we were able to distinguish 575 F| schemes from a 
random permutation, so the percentage of success is about 57.5%. 

4 Generation of All Possible Attacks for k < 7 

In this section we describe the way we generate all the possible attacks for k <7. 
First we choose a value for k, then we increase the value of d, beginning with 
d = 1, until we find no possible attacks. All the attacks (or sometimes only the 
best attacks when the number is too much important) are put in a specific file 
corresponding to the values of k and d. 

To find an attack, we need to construct all the differential paths. There are two 
constraints for this construction: 

— In the same round, it’s not possible to have k vertical conditions, because it 
leads to a collision between the points, i.e. -P(l) = P( 3) = • • • = P(ip — 1) 
and P(2) = P(4) = • • • = P(tp). 
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— In the same round, it’s not possible to have k horizontal conditions, because it 
also lead to a collision between the points, i.e. P(l) = P( 2) and P( 3) = P(4) 
and ... P((p — 1) = P(<p)- 

When the path is constructed, we look if the attack is valid. To be valid, an 
attack must overcome five constraints. 

1. The complexity of the attack must be smaller than the total number of 

possible messages: ^ < k. 

2. There must be less internal conditions than output conditions: nx < ns- 

3. If nx = ns then ns must be different from the number of final consecutive 
vertical conditions in the output conditions. If not, it is easy to prove that 
the output conditions are completely equivalent to the internal conditions. 
So, the output conditions will not happen more often than for a random 
permutation. 

4. The number of equalities inside the path must be smaller than the number 
of variables included in them. Moreover we do not consider equalities when 
a variable occurs only once for all the equalities. 

Let us take an example. The attack given in section 2.2. The equations 
are: (X 2 ®A 1 )®f^ 1 \x 2 ) = A 2 , /J 2) \x 2 ) = A 3 ,f£\x 3 ® 

A 2 ) © fi 1] (X 3 ) = A 3 , fi 2) {X 3 © A 2 ) © fi 2) (X 3 ) = A ± . We have 4 equations 
and 5 variables X 2 , A, , A 2 , A 3 , X 3 . All the variables are used at least in 2 
equalities, so we cannot simplify. 

5. There is no bottleneck in the equalities, i.e. any subset of equalities must 
have a greater number of variables. If it is not the case, the attack will 
only work with very particular functions (weak keys). This last point is very 
difficult to carry out without the help of a computer. 

Finally, all the possible attacks are sorted in function of their complexity (KPA 
or CPA-1). For example there is 71 different attacks on the F® scheme, and 20 
attacks with a CPA-1 complexity equal to 2 3 ”/ 2 . 

All possible attacks are given in an extended version of this paper. In the next 
sections, we generalize for any k the best attacks (KPA and CPA-1) obtained 
for k <7. 

5 Different Kinds of Attacks: TWO, R\, R 2 , RS and R4 
5.1 TWO Attacks 

The TWO attack consists in using to plaintext/ciphertexts pairs and in counting 
the number J\f F ,i of couples of these pairs that satisfy the relations between the 
input and output variables. We then compare N F d with J\f perrn where N perrn 
is the number of couples of pairs for a random permutation instead of F p . The 
attack is successful, i.e. we are able to distinguish Fjf from a random permutation 
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if the difference | E {J\f F i ) — E {J\f pe rm ) | is much larger than the standard deviation 
Cperm and than the standard deviation a F d, where E denotes the expectancy 
function. 

These attacks give the best attacks from 1 round to k + 2 rounds. They are 
studied in | l Kj . Their complexity is summarized in Section 0 

5.2 R1 Attacks 

Here we have vertical conditions on the input and output variables. These attacks 
are more general than the attacks named R1 in [HI! since we allow more vertical 
conditions on the input and output variables. These attacks were first described 
by Jutla ( jZj)- With our differential notation, we have: 



h 


Ir 

J r+ 1 


Ik 


Si 


Sk-v 

Sk-v+l 


Sk 

Round 0 

0 


0 

^r+l 


A k 

Round d 



A%_ v 

0 


0 


Thus, n/ = kt+r , fix = U+w , ns = kl+v. Here nj denotes the conditions on 
the input variables. I = ^ - 1 . The number of vertical conditions on the input 
variables is r. nx denotes the number of conditions on the internal variables. 
We use t for horizontal conditions and w for vertical conditions. Similarly, ns 
and v denote respectively the number of conditions and the number of vertical 
conditions on the output variables. Then the number of rounds is given by r + 
t + w. When nx < ns, we can easily obtain a sufficient condition of success 
(without computing the standard deviation), since in that case we will have for 
most permutation about 2 times more solutions with Fj} than with a random 
permutation. Here this gives the condition: ( k — t)£ > w — v. In order to avoid 
weak keys, the number of equations with the internal variables must be smaller 
than or equal to the number of internal variables. This condition was not always 
satisfied in [Ej . For R1 attacks, it is easy to check that the number of equations 
is given by t(k — 1) and the number of variables is k(t + 1) — r — w. Thus we get 
the condition: r + w < t + k. The complexity of such an attack is 2 v * n . This 
implies < k, i.e. (fc+t 2 ) /+ 2 r+ “ > < k. 

5.3 R2 Attacks 

Here we have horizontal conditions on the input variables and vertical conditions 
on the output variables. Again these attacks are more general than the attacks 
named R2 in | l since we allow more horizontal conditions on the input variables 
and more vertical conditions on the output variables. We have: 



I\ 


In 

Iu+ 1 


i k 


Si 


S k - V 

Sk-v+l 


s fc 

Round 0 

■ A i 


.Al 



A l 

Round d 

A( 


Af_ v 

0 


0 


Thus, m = (k + u)l, nx = ti + w, ns = k£ + v. The number of horizontal 
conditions on the input variables is denoted by u. The number of rounds is 
given by u + t + w. The condition nx < ns is equivalent to (k — t)l > w — v. 
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For R2 attacks, it is easy to check that the number of equations is given by 
( t + l)(k — 1) and the number of variables is k(t + 2) — w. Thus we get the 
condition: w < t + k + 1. The complexity of such an attack is 2 v X n . This 
implies < k, i.e. (fc+t +“ ) 2 g+w < k. 

5.4 R3 and R4 Attacks 

We describe briefly, R3 and R4 attacks. It is easy to get the number of rounds 
and the conditions on the number of equations and variables. 

For R3 attacks, we have vertical conditions on the input variables and hori- 
zontal conditions on the output variables. This gives: 



h 


I r 

I r+ 1 


Ik 


Si 


Sk-s 

Sk-s+l 


Sk 

Round 0 

0 


0 

4*1 



Round d 

A( 


K-s 



■ A t 


and n/ = k£ + r, nx = t£ + w, ns = (k + s)i. 

For R4 attacks, we have horizontal conditions on the input and output variables. 
This gives: 



h 


In 

Iu+l 


h 


Sr 



Sk-s+l 


Sk 

Round 0 

.A\ 


.Al 

4k 


4 

Round d 

4 


Al_ s 



•4 


and ni = (k + u)£, nx = U+ w, ns = (k+ s)i. 


6 Best KPA Attacks: R u R 2 

In this section we describe the best attacks we have found. As mentioned before, 
we know that for k < 7, they are the best possible attacks. We will mostly 
describe one example of R2 attacks since for any round there are many possible 
R2 attacks that give the best complexity. It can be noticed that in KPA, there 
is a symmetry between R2 and R3 attacks. Thus there always exist R2 and 
R3 attacks with the same complexity. Sometimes, it is also possible to have R1 
attacks. Most of the time, R4 attacks are worse. We give attacks from k + 3 
rounds to 3k — 1 rounds since from 1 to k + 2 rounds, TWO attacks are most 
of the time better and they are described in CHI In all our attacks, it is easily 
checked that the conditions given in the previous section are satisfied. Moreover, 
we always look for attacks where the number of points is minimum. Our best 
R2 KPA attacks are summarized in Table El 
Remarks 

1 . We have the following R1 attacks: 

(a) When k + 3<d<2k — 2 and d = k + 2q, we set 

ni = M + k — 1 , nx = q£ + q + 1, ns = k£+ q + 1 
It is possible to choose t = 1 and the complexity is also 2^ n 
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Table 2. Best known KPA on F k , for any k > 3 


d values 

ni 

nx 

ns 

£ 

Complexity 

k + 2q € [k+ 3, 2fc-2] 
k + 2q + 1 6 [fc+3, 2/,-2j 
k + 2q e [2fc— 1, 3fc— 2] 
k + 2q + l € [2fe— 1, 3fc— 2] 
3k- 1 

(2k-l)£ 

(2k-\)i 

(2k-l)£ 

(2k—l)£ 

ki+t 

qi + q + 1 
qi + q -f 2 

(q-[^i)e + q+l^A\ 
fo-LVJ^ + fl + L^J 

ki + 2k- 1 

ki-\-q -\- 1 
k£-\-q~\~2 
M+k-l 

ke+k-1 

k£+k- 1 

1 

1 

1 

1 

k 

2 h±± n 

2 *+*n 

2^” 


(b) When 2k — 1 <d <3k — 2 and d = k + 2 q, we set 

ni = ki + 2, nx = q£+k + q — 2, ns = kl + k — 1 

The complexity is still 2 t" ; but l is greater than 1. 

2. In 0, Jutla gave a R1 attack on 3k — 3 rounds but the complexity that we 
obtain with a R2 attack here is better. It is possible to perform a R1 attack 
on 3A; — 2 rounds just by adding a vertical condition on the input variables 
to the attack on 3k — 3 rounds and the we obtain the same complexity as 
the one we get with a R2 attack. Due to the conditions between the number 
of equations and internal variables, it is not possible to use the same idea 
for 3A; — 1 rounds. In this last case, we have R2 (and of course R3) attacks. 

7 Way to Transform KPA Attacks into CPA-1 Attacks 

We have analyzed all the possible situations and we are now able to present 
formulas that give us directly the CPA complexity depending on the initial con- 
ditions. We call u the number of horizontal conditions, r the number of vertical 
condition and S = \u — rj. So we can distinguish four cases: 

Case 1 u = 0: 0 0 ... 0 A\ ... A k - r 

r“0” 

Case 2 r = 0: 

Case 3 u < r: 


Case 4 u > r 


We can notice that the best CPA-1 attacks do not always come from the 
best KPA attacks. Nevertheless, if we want to express the CPA complexity 
with the KPA complexity, we can use the following formula: log 2 n (KPA) = 
r + (u + k)i + nx 



2 £ + 2 
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Table 3. KPA to CPA 


Conditions | 

log 2 „ (CPA) 

M=0 

e+2- k r 

nx 

1 + 2 

r vertical conditions 

7+2 >k ~ r 

nx — k + r 
£ + 1 

:r fc 0 

- <k-u 
t + 2 ~ 

1 + 2 

u horizontal conditions 

>k-u 

t + 2 

nx — £(k — u) 

2 



(■ t + 2 )(k — r) > nx 

1 + 2 



(t + 2 )(k -r) + (£+ 1)5 > nx 

nx — k + r 

r ^ 0 and u^O 

u < r 

and ( l + 2)(k — r) < nx 

£+1 



(f + 2)(fc-r) + (f+l)5<nx 

nx — k + r — £(k — u) 

u horizontal conditions 


(t + 2 ){k-u)>nx 

1 + 2 

and 


{£ + 2)(k-u)+2S>nx 

nx — £(k — u) 

r vertical conditions 

u>r 

and ( £ + 2)(k — u) < nx 

2 



{£ + 2)(k-u) + 2S <nx 

nx — k + r — £(k — u) 


For all the CPA-1 Attacks we found, we prove that the best choice is to keep 
the first bits constant and generate all the possible messages with the same first 
bits. 

Let’s show how we prove it for Case 1. The best way to choose messages is 
to keep some of the bits constant (for example equal to zero) and consider all 
the possible combination for the other bits. We call b the number of varying bits 
among the first rn bits, and we call (3 the number of varying bits among the last 
( k — r)n bits. So we have 0 < b < rn and 0 < (3 < (k — r)n, and this allow us 
to generate 2 b+i3 points (plaintext/cyphertext pair). Now we count how many 
(^-tuples M°( 1), . . . , M°(ip) of points will verify the input conditions. For M°( 1) 
we have 2 b+ & possibilities, for M°( 2) only 2 ib 1 « 2 /3 possibilities, because the 
first rn bits are imposed by M°( 1). For M°( 3) we have again 2 b+ @ — 2 « 2 b+l 3 
possibilities. For M°( 4) only one possibility : M°( 4) = M°(3)©(M 0 (1)©M°(2)). 
We continue like this until we reach the last two points. For M°(ip — 1) we have 
again almost 2 b+ P possibilities, and for M°(ip) only one possibility. So, the total 
number of v>tuples is (2 h+l3 ) v ^ 2 x 2' 3 = 2( 6+/3 )(^ +1 ) +/3 . The complexity of the 
CPA-1 is equal to 2 b+ @. We want this number to be as small as possible, and 
at the same time we want to generate a maximum of (/^-tuples that satisfy the 
input conditions. So, we want to have (3 as large as possible. Each 93-tuple has a 
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probability equal to 1 /2 nx ' n to satisfy the internal conditions. In order to have a 
reasonable chance to realize these conditions, we must have (b + 0)(£ + 1) + 0 = 
n x ■ n. If b = 0 we get 0 = fp^n. But this is possible only if 0 < (k — r)n, 
i.e. if < k — r. If we have jp^ > k — r then we must take the maximum 
possible value for 0: 0 = (k — r)n and that gives us a CPA-1 complexity equal 
to 2 b +V = 2^^ n . 

All the cases are summarized in Table 01 


8 Best CPA-1 Attacks: JR 1? R 2 , Simulation 

8.1 CPA-1 Attacks 

In this section, we describe the best CPA-1 that we have obtained. Again for 
k < 7 we know that we have the best possible attacks. Except for 3k — 1 rounds, 
we obtain a better complexity than in |18| . The best CPA-1 are generally R2 
attacks. Sometimes R1 attacks exist with the same complexity. It is interesting 
to note that the best CPA-1 do not come from the best KPA. We will use the 
study of CPA-1 made in Section Q We will describe CPA-1 for k + 3 < d < 3k — 1 
since for d < k + 2, the best attacks are the TWO attacks given in jl Sj . Again 
we will give an example of such an attack for each round. We notice that for the 
same conditions on the input and output variables, we can find several attacks: 
the horizontal and vertical conditions on the internal variables can be displayed 
differently inside the attack, but we must respect the conditions between the 
number of equations and variables at each step of the attack. An example is 
given at the end of this section. Our best R2 CPA-1 attacks are summarized in 
the following table: 

Table 4. Best known CPA-1 on F%, for any k > 3 


d values 

ni 

nx 

n s 

£ 

Complexity 

k + 3 

kt + (fc - 1 )l 

t + 3 

k£+ 1 

1 

2 ir 

k + 4 

ki+{k- 2)1 

2^ + 4 

k£ + 2 

1 

2 2n 

k + 5 

kl + (k — 2)1 

2^ + 5 

k£ + 2 

1 

2 5n/2 

k+2q € [fc+6, 3fc— 4] 

M + (k— q)£ 

(q -l)t + 2q + l 

k£+ 1 

9-1 

2 3 i# n 

k+2q+l £ [fc+7, 3k — 5] 

kl+[k- q)l 

(q-l)£ + 2q + 2 

k£+ 1 

9-1 

2 ^+T n 

3k — 3 

kl + £ 

(k -2)£ + 2k-2 

k£+ 1 

k- 1 

2 TTT n 

3k -2 

k£ + (k- 1)£ 


k£+k- 1 

1 

2 (k-l)n 

3k -1 

k£ + £ 

( k -l)£ + 2k-l 

k£+k- 1 

k 

2 ( fc -5)" 


Remark. For d= k + 3, fc + 4, fc + 5 and 3k — 2, there exist R1 attacks with the 
same complexity and the same number of points. 
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8.2 Overview of the R2 CPA-1 Attack on F^ k ~ x 

We did a simulation of our best CPA-1 Attack. The input and output conditions 
were the following: 
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Several different differential paths match with these input and output condi- 
tions. For example let’s see all the R2 path for the Ff and F } 1 permutations. See 
Table [3 and Table 0 in Appendix A. 

We counted the number of paths for k < 7: ,, ^ , L f LfL Lf n Ll g We will see 
ff 1 pEitii \\z o \z i oy 

that, the greater k is, the better the attacks work. 


Table 5. All the paths for the R2 attack against F| , 
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Table 6. Experimental results for F% k ~ 


n 

k 

kn 

% of success 

% of false alarm 

# iteration 

2 

3 

6 

29,09% 

0,35% 

100000 

2 

4 

8 

61,6% 

0,06% 

10000 

2 

5 

10 

98,37% 

0% 

10000 

2 

6 

12 

99,99% 

0% 

10000 

2 

7 

14 

100% 

0% 

10000 

2 

8 

16 

100% 

0% 

1000 

2 

9 

18 

100% 

0% 

500 

2 

10 

20 

100% 

0% 

100 

4 

3 

12 

21,15% 

1,12% 
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4 

4 

16 

42,5% 

0% 
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5 

20 

93% 

0% 
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6 

24 

100% 

0% 

100 

6 

3 

18 

8% 

1,2% 
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8 

3 

24 

2% 

0% 

100 
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8.3 Experimental Results 

We did simulations of these CPA-1 attacks. For each simulation, we generate a 
random Feistel scheme with 20 rounds, and a F^ k ~ x scheme. For both schemes, 
we compute 2 (7, '~ 1 ' /2 ) n ciphertext/plaintext pairs, by varying only the last (k — 
l/2)n bits. After this, we extract all the couples of points that satisfy both input 
and output conditions. We sort these couples of points in order to count how 
many ^-tuples of points match the input and output condition. If we found q 
couples of points that satisfy all these conditions with q > tp/2, we count as if we 
have found ( g _y/ 2 )i ^"tuples, because this is the number of (^-tuples we can take 
out these points, by changing the position of the couple of points. Once this is 
finished, we compare the number found for each permutation. Most of the time, 
that enables us to distinguish between them. See Table 0 

9 Summary of the Attacks 

In Tables Q and 0 we give the complexity of the attacks we have found. For 
k <7, since we have generated all the attacks, these are the best possible attacks. 
Then we have generalized the results for k > 7 and we believe that the attacks 
presented here are also the best possible attacks. For d < k + 2, we have TWO 
attacks. For d > k + 3, we have rectangle attacks. As mentioned before, in KPA, 
there are always R2 and R3 attacks that give the best complexity sometimes 
there is also a R1 attacks (for 3k — 2 rounds for example). In CPA-1, the best 
complexity is given by R2 attacks, and sometimes R1 attacks. 

Table 7. Best known TWO and Rectangle attacks on f £ . Details about the parameters 
in this table: (new) means that we have found a better attack than previously known. 



KPA 

CPA-1 

Fi 

1 

1 

f£ 

2f , TWO 

2 

Fi 

2", TWO 

2 

Fi 

25”, TWO 

2t, TWO 

Fi 

2 2 ”, TWO 

2", TWO 

Fi 

2i”, R2, R3 

25”, R2 (new) 

Fi 

25”, Rl, R2, R3 

2 2 ", R2 

Fi 

2T" R2, R3 

25”, R2 


In these tables, “new” means that the complexity that we obtain is better than 
the complexity given in j I Kj . (*) means that for 3 k — 1 rounds our complexity is 
worse than the complexity in [1X81 . This comes from the fact, as we mentioned 
ear her, that the conditions between the equations and the internal variables were 
not all considered in [T% . 
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Table 8. Best known TWO and Rectangle attacks on F k . for any k > 3. Details about 
the parameters in this table: (new) means that we have found a better attack than 
previously know. 



KPA 

CPA-1 

F k 

1 

1 

F k 

2=, TWO 

2 

F k 

2", TWO 

2 

Fk,2<d<k 

2t»TWO 

2 

F k+i 

2**, TWO 

2t, TWO 

p k+2 

2~", TWO 

2 n , TWO 

F k+3 

2~^~", R2, R3 

2 3n/2 , R2 (new) 

F k+4, 

2 t ^ n , Rl, R2, R3 

2 2 ", R2 (new) 

F k+5 

2~^ n , R2, R3 

2 5n/2 , R2 (new) 

Fg, d= k + 2q, 3 < q < k - 2 

2^ n , Rl, R2, R3 

2 l!Tr n , R2 (new) 

F k , d= k + 2q + 1, 3 < q < k — 3 

2 ± ^ n , R2, R3 

2TTT n , R2 (new) 

F k k ~ 3 

2 (fe “^ )n , R2, R3 

2 TTT" R2 (new) 

F * k ~ 2 

2 (A ' * )n , Rl, R2, R3 

2 (fc-l)n, R2 ( new ) 

JR’®*- 1 

2 ( fe -3ST5) n , R2j R3> (*) 

2 (fc-i)n, R2 


10 Conclusion 

In this paper we make a systematic study of rectangle generic attacks on un- 
balanced Feistel schemes with expanding functions. Although these attacks were 
already analyzed in [7] and [18 , this paper brings many improvements. Gen- 
eration of all possible rectangle attacks for k < 7 was performed thanks to a 
computer program and the most efficient ones were selected. Then the general- 
ization for any k was possible. This gives attacks for which conditions between 
equations and internal variables are satisfied. This was not detected in [T%] . We 
also provide a complete description of the way to obtain CPA-1 from KPA. This 
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shows how to get the best CPA-1 and we improved the CPA-1 complexity of [THI . 
Also many simulations confirm our theoretical results. 

There are still some open problems. It would be interesting to complete the 
program in order to generate all the attacks for any k. This seems to be a memory 
space problem. Also, in this paper, we did not study attacks with complexity 
greater than kn. In that case, we need to attack permutations generators and 
not only one single permutation. In [Ej , attacks called “multi-rectangle attacks” 
were introduced, but so far no significant results have been obtained on these 
attacks. It might give a new way to study generic attacks on unbalanced Feistel 
schemes with expanding functions. As we mentioned in Sectional when we have 
exactly the same condition on the input and output variables, there are many 
possible CPA-1 attacks (for k = 7, there exist 286 attacks on F|°, with the 
same conditions on the input and output variables). An estimation for any k 
will strengthen the attack. 
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A All the Paths for the R2 Attack against F^ 1 , ip = 10 


Table 9. All the paths for the R2 attack against F} 1 . ip = 10 
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Abstract. In a recent work, Mangard et al. showed that under certain 
assumptions, the (so-called) standard univariate side-channel attacks us- 
ing a distance-of- means test, correlation analysis and Gaussian templates 
are essentially equivalent. In this paper, we show that in the context 
of multivariate attacks against masked implementations, this conclusion 
does not hold anymore. While a single distinguisher can be used to com- 
pare the susceptibility of different unprotected devices to first-order DPA, 
understanding second-order attacks requires to carefully investigate the 
information leakages and the adversaries exploiting these leakages, sepa- 
rately. Using a framework put forward by Standaert et al. at Eurocrypt 
2009, we provide the first analysis that explores these two topics in the 
case of a masked implementation exhibiting a Hamming weight leakage 
model. Our results lead to refined intuitions regarding the efficiency of 
various practically-relevant distinguishers. Further, we also investigate 
the case of second- and third-order masking (he. using three and four 
shares to represent one value) . This evaluation confirms that higher-order 
masking only leads to significant security improvements if the secret shar- 
ing is combined with a sufficient amount of noise. Eventually, we show 
that an information theoretic analysis allows determining this necessary 
noise level, for different masking schemes and target security levels, with 
high accuracy and smaller data complexity than previous methods. 


1 Introduction 

Masking (as described, e.g. in J2I71 11)1 1 is a very frequently considered solution 
to thwart side-channel attacks. The basic idea is to randomize all the sensitive 
variables during a cryptographic computation by splitting them into d shares. 
The value d — 1 is usually denoted as the order of the masking scheme. As most 
countermeasures against side-channel attacks, masking does not totally prevent 
the leakages but it is expected to increase the difficulty of performing a success- 
ful key-recovery. For example, masking can be defeated because of technological 
issues such as glitches 0. Alternatively, an adversary can always perform a 

M. Abe (Ed.): ASIACRYPT 2010, LNCS 6477, pp. 112- |-129,| 2010. 
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higher-order DPA ( e.g . jl 011 312.' Il l in which he “combines” the leakages corre- 
sponding to the d shares in order to extract key-dependent information. From 
a performance point of view, masking a block cipher implies significant perfor- 
mance overheads, because it requires to compute the encryption of the different 
shares separately. As a result, an important problem is to determine the exact 
security level that it provides in function of the order of the scheme d 1 . 

In order to solve this problem, Prouff et al. proposed a comprehensive study 
of first-order masking (i.e. second-order power analysis) in m In their paper, 
the two leakage samples corresponding to the different shares are first mingled 
with a combination function. Next, a (key-dependent) leakage model is used to 
predict the output of this function. Eventually, the combined physical leakages 
are compared with the key-dependent predictions, thanks to Pearson’s correla- 
tion coefficient Q. Different combination functions are analyzed regarding the 
efficiency of the resulting attacks, leading to the following conclusions: 

1. For every device and combination function, an optimal prediction function 
(or model) can be exhibited, that leads to the best attack efficiency. 

2. Following an analysis based on Pearson’s coefficient and assuming a “Ham- 
ming weight leakage model” , the “normalized product combining function” 
(both to be detailed in this paper) is the best available in the literature. 

The first observation is in fact quite natural. Since every device is characterized 
by its leakage function, there is one optimal model to predict these leakages that 
perfectly captures their probability density function (pdf for short). And for 
every optimal model, there is one way to combine the leakage samples that leads 
to the best possible correlation. But the idea of optimal combination function also 
leads to a number of issues. On the one hand, as acknowledged by the authors of 
na, their analysis is carried out for a fixed (Hamming weight) leakage function. 
Therefore, how the observations made in this context would be affected by a 
different leakage function is an open question. On the other hand, their analysis 
is also performed for a given statistical tool, i.e. Pearson’s correlation coefficient. 
Hence, one can wonder about the extent to which this statistical tool is generic 
enough for evaluating second-order DPA. 

This second question is particularly interesting in view of the recent results 
of jT2j. This reference shows that in the context of (so-called) standard first- 
order DPA and when provided with the same leakage model, the most popular 
distinguishers such as using distance-of-means tests 0, correlation analysis and 
Gaussian templates (21 require approximately the same number of traces to ex- 
tract keys. Differences observed in practice are only due to statistical artifacts. In 
addition, it is shown that the correlation coefficient can be related to the concept 
of conditional entropy which has been established as a measure for side-channel 
leakage in (2Qj . Therefore, a natural question is to ask if these observations still 
hold in the second-order case. For example, can the correlation coefficient be 
used to evaluate the information leakage of a masked implementation? 

In this paper, we answer this question negatively. We show that second-order 
DPA attacks are a typical context in which the two parts of the framework 
for the analysis of side-channel key-recovery of Eurocrypt 2009 lead to different 
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intuitions. First, an information theoretic analysis measures the amount of leak- 
age provided by the masked implementation. It quantifies its security limits and 
relates to the success rate of an adversary who can perfectly profile the leakage 
pdf. Second, a security analysis measures the efficiency of one particular dis- 
tinguisher. By applying this framework, we exhibit refined intuitions regarding 
the behavior of different second-order DPA attacks and combination functions. 
We then discuss the impact of these observations in profiled and non-profiled 
attack scenarios and confirm our theoretical investigations with practical exper- 
iments. We note that our results do not contradict m but rather emphasize that 
a single distinguisher cannot capture all the specificities of a leakage function. 
Eventually, we extend our analysis towards higher-order masking. This allows 
us to confirm that, from an information theoretic point of view, increasing the 
number of shares in a masking scheme only leads to an improved physical se- 
curity if a sufficient amount of noise is limiting the quality of the adversary’s 
measurements j2j . Higher-order masking also provides a case for the information 
theoretic metric introduced in j2D| - We show that this metric can be used to 
determine the exact amount of shares and noise required to reach a certain se- 
curity level (against worst-case template attacks, exploiting intensively profiled 
leakage models), with smaller data complexity than previous methods. 

Summarizing, first-order side-channel attacks are a quite simple context in 
which (under certain conditions) most popular distinguishers behave similarly, 
if they are fed with the same leakage models. As a consequence, it can be sound 
to use “one distinguisher for all” in this context. By contrast, second-order (or 
higher-order) DPA can be confronted with leakage probability distributions that 
can take very different forms (mixtures, typically) . Hence, given a certain amount 
of information leaked by a masked implementation, and even if fed with the same 
leakage models (and combination functions), different statistical tools will take 
advantage of the key-dependencies in very different manners. In other words, de- 
pending on the devices and countermeasures, one or another attack may perform 
better, hence suggesting our title “the world is not enough” . 

2 Boolean Masking and Second-Order Attacks 

Many different masking schemes have been proposed in the literature. Although 
they can result in significantly different performances, the application of second- 
order attacks generally relies on the same principles, independent of the type of 
masking. In the following, we decided to focus on the Generalized Look Up Table 
(GLUT for short) that is described, e.g. in |TS| . Such a scheme is represented 
in the lower left part of Figure 0 using the key addition and S-box layer of 
a block cipher as a concrete example. It can be explained as follows. For an 
input plaintext Xi, a random mask a z is first generated within the device. The 
value Xi ® a, is generally denoted as the masked variable. Then, the encryption 
algorithm (here, the key addition and S-box) are applied to the masked variables, 
where s denotes a secret key byte (we will use the term subkey in the following). 
Concurrently, some correction terms are also computed such that anytime during 
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Fig. 1. Illustrative second-order DPA 

the cryptographic computation, the XOR between a masked variable and its 
corresponding mask produces the original variable. In the case of the GLUT 
proposal, a precomputed function Sbox’ is used for this purpose. For example in 
Figure HJ the masked S-box output Sbox (24 ® a; ® s) can be written as Sbox(aq ® 
s ) ffi bi, where b t denotes an output mask produced by Sbox’. 

In practice, the GLUT countermeasure can be implemented in different man- 
ners. Mainly, the two S-box computations can be performed sequentially (as 
typical for software implementations) or in parallel (as typical for hardware im- 
plementations). In order to describe the second-order DPA that we investigate in 
this paper, we first use the sequential approach (the parallel one will be discussed 
in the next section). Also, we rely on the terminology introduced in m ■ Essen- 
tially, the idea of second-order DPA is to take advantage of the joint leakage of 
two intermediate computations during the encryption process (be. the masked 
value and its mask). In the software approach, the computation of these interme- 
diate variables will typically be performed in two different clock cycles. Hence, 
two leakage samples ij and if corresponding to these computations can be found 
in the leakage traces, as in the top of Figure |TJ Following the standard DPA 
described in m , the adversary will then work in three (plus one optional) steps: 

1. For different plaintexts x t and subkey candidates s*, the adversary predicts 
some intermediate values in the target implementation. For example, one 
could predict the S-box outputs Sbox(a: l ® s) in Figured 

2. For each of these predicted values, the adversary models the leakages. Be- 
cause of the presence of a mask in the implementation, this prediction can 
use a pdf (where the probability is taken over the masks and leakage noise) 
or some simpler function e.g. capturing only certain moments of this pdf. 

3. Optionally, the adversary combines the leakage samples into a single variable. 
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4 . For each subkey candidate s*, the adversary finally compares the modeled 
leakages with actual measurements, produced with the same plaintexts Xi 
and a secret subkey s. In a second-order DPA, each model is compared 
with two samples in the traces. This comparison is independent of all other 
points. Consequently, these attacks are referred to as bivariate. In practice, 
this comparison is applied to many pairs of points in the leakage traces and 
the subkey candidate that performs best is selected by the adversary. 

As for the analysis of first-order attacks, comparing different distinguishers re- 
quires to provide them with the same leakage samples. However, contrary to the 
first-order case and as will be discussed in the following sections, the best pair of 
leakage samples is not necessarily the same for all distinguishers. This is because 
different distinguishers can take advantage of different leakage pdf with different 
efficiencies in this case. In practice, this requires to test all pairs of samples in 
the traces (but this means N(N — l )/2 statistical tests to perform if the traces 
have N samples). In this paper, we will generally assume that this best pair of 
samples is provided to the attacks we perform (which can be done easily when 
simulating experiments and requires significant - but tractable - computational 
power when performing attacks based on real measurements). 

Finally, we will use the following notations: 

— x g = [x\, X2, • ■ ■ , x q ]: a vector of plaintext bytes. 

— a q = [ai, d2, ■ . ■ , a q ]: a vector of random input mask bytes. 

— b g = [61, 62, . . . , 6 g ]: a vector of random output mask bytes. 

— vj = Sbox(xj 0 s)© bi : an intermediate value in the encryption of x t . 

— vj = bi\ another intermediate value in the encryption of a 

— lj = [l{, l \, . . . , lg\: a vector of leakage samples corresponding to the first 
intermediate values vj during the encryption process. 

— lg = [ij , ij, ■ ■ ■ , Zg]: a vector of leakage samples corresponding to the second 
intermediate values vj during the encryption process. 

— m* = [mf , 77^2 ■ ■ ■ ■ j 'm'g ]: a vector containing leakage models (i.e. predic- 
tions) corresponding to a subkey candidate s* and the plaintexts x 9 . 

In the rest of the paper, these notations (in small caps) will represent sampled 
values, while their counterpart in capital letters will represent random variables. 

3 Second-Order Attacks with Pearson’s Coefficient 

In theory, second-order DPA is possible if the joint probability distributions 
Pr[Lg, Lg|Xg, s] are different for different subkey values s. This can be illustrated, 
e.g. for a Hamming weight leakage function which is frequently considered in the 
practice of side-channel attacks m and has been the running example in ex- 
it means assuming that the leakage samples ij and ij can be written as: 


l| = Wii(Ui ) + nj , 


(1) 

(2) 


ij = W H (vj) + nj, 
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where Wh is the Hamming weight function and nf , nf are normally distributed 
noise values with mean 0 and standard deviation a n . In the context of an 8-bit S- 
box ( e.g . the AES one), it leads to 9 possible leakage distributions, corresponding 
to the 9 Hamming weight values of a secret state A, = Sbox(aq©s), as observed in 
m The left parts of Figures !! 1 1 Upl and 1 1 Ml in Appendix El show the joint leakage 
distributions in this setting and clearly illustrate that they are key-dependent. As 
detailed in the previous section, taking advantage of these dependencies requires 
a comparison tool. In their statistical evaluation of second-order DPA, Prouff 
et al. use Pearson’s correlation coefficient. In the context of first-order attacks 
exploiting a single leakage sample U, it implies computing: 


p( M»*,L,) = 


e((Z, - E(L,)) • (mf - E(M®*))) 
d(L ? ) • d(Mf ) 


where E and a denote the sample means and standard deviations of a random 
variable, respectively. In order to extend this tool towards the second-order case, 
the classical approach is to first combine the two leakage samples if and if with a 
combination function C. For example, Chari et al. proposed to take the product 
of two centered samples 0: C (if, if) = (if — E(L*)) • (if — E(L^)) and Messerges 
used the absolute difference between them (Ej: C (if, if) = \lf — lf\. As illustrated 
in the right parts of Figures El O and El those combining functions also lead 
to key-dependencies. In addition to these standard examples, we finally plotted 
the distribution of the sum combining function C (if, if) = if + if because it can 
be used to emulate the behavior of the GLUT masking in a hardware setting, 
where the two S-boxes of Figure Hare computed in parallel. 


3.1 Choice of a Model and Leakage-Dependency of C 

Given the above descriptions and assuming that the adversary knows a good 
leakage model for the samples if and if, it remains to determine which model 
to use when computing p(M^ , C(Lf L^)). That is, we do not need to predict 
the leakage samples separately, but their combination. In addition and contrary 
to the first-order case, there is an additional variable (i.e. the mask) that is 
unknown to the adversary. But given a model for the separate samples, it is 
possible to derive one for their combination. For example, assuming a Hamming 
weight model that perfectly corresponds to the leakages of Equations 0 and 
0, we can use the mean of the combination function, taken over the masks. For 
each subkey candidate s*, the model is is then given by: 

mf =e(c(W h (A* ©?>;), W H (bi))). 

This is in fact similar to what is proposed in HZ. where the mean is addition- 
ally taken over the leakage noise (which is more general, but implies additional 
profiling, i.e. a sufficiently precise knowledge of the noise distribution). As an 
illustration, Figure |2| shows the leakage models corresponding to the absolute 
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Fig. 2. Leakage models for second-order DPA using the correlation coefficient 


difference and normalized product combination functions. They again only de- 
pend on the 9 Hamming weight values of the secret state, as opposed to the ones 
of a sum combining function for which the mean value (over the masks) is con- 
stant for all secret states. Hence, as already observed in m , this sum combining 
function will not lead to successful second-order correlation attacks. 

The figure intuitively confirms the previous theoretical analysis of Prouff et 
al. where it is demonstrated that the normalized product combining function 
leads to the most efficient second-order side-channel attacks when using Pear- 
son’s coefficient and assuming a Hamming weight leakage model for the separate 
samples. Indeed, this particular setting gives rise to nicely linear dependencies 
of the models to® in the Hamming weight of the secret states Wh(T)). Also, 
and contrary to the absolute difference combining function, all the 9 possible 
Hamming weights correspond to a different model to® in this particular case. 

Interestingly, the efficiency of the normalized product combining function can 
be simply explained when looking at the equations since it computes: 


p( M®*,C(L^,L^)) = 


E((CaU ? )-E(C(Lj,L*))) • (to?* — E(M®*))) 
d(C(L^))-d(M®*) 


As the product is normalized, we have that E(C(L’ , L^)) = 0, which leads to: 


p(M®*,C(Lj,L2)) 


e((Z? - E(Lj)) • {If - E(I$) . (to®* - E(M®*))) 


d(C(Lj,L^)).d(M®* 


And this formula is in fact very close to the straightforward generalization of 
Pearson’s correlation coefficient to the case of three random variables: 


p( M®*,Lj,L^) = 


E($ - E(L*)) • {If - E(Lg)) • (to®* - E(M®*))) 
*(Lj) • *(L*) ■ d(M®*) 


(4) 


The only difference between Equations Q and (HJ is in the leakage samples’ 
standard deviation terms, which are key-independent. Hence, when applied to 
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the same pair of samples, attacks using Equations ® or 0 are equivalent. Intu- 
itively, these equations provide a simple explanation of the normalized product 
combining function. That is, such a combining function will efficiently take ad- 
vantage of pairs of leakage samples that are linearly correlated conditioned on 
the key. As illustrated in Figure's El O and El this is nicely achieved in the 
case of a Hamming weight leakage function for the two samples lj and if. 

4 Evaluating Second-Order Leakage: IT Analysis 

In general, the evaluation of second-order side-channel attacks is not straight- 
forward to capture. More precisely, it is easy to see that an analysis based only 
on the correlation coefficient may suffer from certain limitations. For example: 

— Given Pearson’s correlation coefficient as a distinguisher and a Hamming 
weight leakage function, there exist (trivial) combination functions for the 
samples ( e.g . the stun) that do not lead to successful key recoveries. 

— Given Pearson’s coefficient as a distinguisher and the normalized product 
combination function, there exist leakage functions (e.g. with no linear de- 
pendencies between the samples) that don’t lead to successful key recoveries. 

These observations suggest that the simple situation in the first-order context, 
where the correlation coefficient could (under certain physical assumptions de- 
tailed in inn be used both as a distinguisher and as a measure of side-channel 
leakage, does not hold here. In second-order side-channel attacks, this correla- 
tion is only a distinguisher. Hence, it is a typical context in which the evaluation 
framework of Eurocrypt 2009 is interesting to put into practice: 

1. First, an information theoretic analysis is performed, in order to evaluate the 
physical leakages, independently of the adversary who exploits them. When 
applied to a countermeasure (e.g. masking), this step allows to quantify how 
much the security of the device has been improved against an adversary 
who can perfectly profile the leakage pdf. In other words, it can be used as 
an objective measure of the quality of the countermeasure, in a worst case 
scenario (i.e. best adversary, large number of queries - see m for the details). 

2. Second, a security analysis is performed, in order to evaluate how efficiently 
a particular distinguisher (e.g. Pearson’s correlation coefficient with a given 
combining function) can exploit the available leakage. This step is useful 
to translate the previous information theoretic analysis into a “number of 
measurements required to extract the key” , in a given scenario. 

In this section, we tackle the first part of the analysis. For this purpose, and in 
order to compare our conclusions with previous works, we use exactly the same 
assumptions as El, a Hamming weight leakage function for the two samples, 
just as described in Section 0 Following the definitions in |2D| , we compute: 


H[S]Li,L?,Xi] = -)TPr[.s] )T)Pr[:n] / J Pr[l { , lf\s, au] log 2 Pr[s|Zj , l\, xi] dll dll 
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Fig. 3. Information leakage for different combination functions 


Since the leakage samples are assumed to be normally distributed, this can be 
quite easily done in function of the noise standard deviation a n . Some simpli- 
fications allow to speed up the computations, e.g. by observing that only nine 
distributions are possible, corresponding to the nine Hamming weights of the 
secret states Zp Also, in order to evaluate the information loss caused by the 
different combination functions, we similarly evaluated H[SjC(L{ , Lj), X-[], This 
implies slightly more complex integrals since, e.g. the product combining gives 
rise to mixtures of normal product distributions. Figure El in Appendix El il- 
lustrates these distributions for two secret states and two cr„’s. The mutual 
information values corresponding to these different information leakages {i.e. 
I(5;(Lj,Lj,Xi)) = H[S] - H[£|Li,L?,Xi]) are then plotted in Figure 0 in 
function of the noise variance (in log scale). From this figure, we can observe: 

1. All combination functions imply a loss of information that can be avoided 
by dealing directly with the 2-dimensional joint leakage distribution. 

2. The sum and absolute difference combining functions give rise to exactly the 
same information leakage. This can be understood from the shape of their 
distributions: the distribution of the absolute difference combining can be 
seen as the one of the sum combining that has been folded up. 

3. For small the normalized product is the least informative combining func- 
tion. By contrast, when increasing the noise, the information leakage of the 
normalized product combining gets close to the one of the joint distribution. 

4. The respective efficiency of different combining functions varies with the 
amount of noise. In particular, after a certain noise threshold, the product 
combining carries more information on S than the sum/absolute difference. 

Note that the leakage of the sum combining’s output clearly relates to the pre- 
vious evaluation of m in which masking is analyzed in the hardware setting. 
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5 Implications for Profiled Attacks: Security Analysis (I) 

The previous information theoretic analysis provides a new perspective to un- 
derstand the relation between a masking scheme, its physical leakages and the 
exploitation of this information by a side-channel attack. For example, it ex- 
hibits that the sum combining function leads to significant information leakages 
(as can also be seen from the different pdf in appendix), although they cannot 
be directly exploited with Pearson’s correlation coefficient. Previous works such 
as the one of Waddle and Wagner m showed how to overcome this limitation of 
the correlation coefficient, by squaring the combined samples. But our analysis 
raises the question whether these information leakages can be directly exploited 
(i.e. without squaring) by other distinguishers. In order to tackle this question, 
we apply the second part of the framework in EDI, i.e. security analysis. This 
section starts with the evaluation of profiled (template) attacks, for which a 
strong relation with the previous information theoretic analysis should hold. 

The results of various template attacks performed against the same masked 
AES S-box as in the previous sections are given in Figure 0J for two different 
noise standard deviations. We mention that these attacks do not use Gaussian 
templates as in (3| but the exact leakage distributions as in the previous in- 
formation theoretic analysis ( e.g . attacks using the joint distributions exploit 
Gaussian mixtures; attacks using the normalized product combining function 
exploit normal product distribution mixtures, etc. as plotted in appendix EJ. 
The different success rates are computed over 1000 independent experiments 
and nicely confirm the theoretical predictions of Theorem 2 in Ell- 

First, we see that the sum and absolute difference combining functions lead 
to the same attack efficiency in this profiled case (since their outputs lead to the 
same information leakages). Second, we see that the point in Figure 01 where the 
stun / absolute difference and the normalized product curves intersect is mean- 
ingful. Left of the intersection (e.g. for a n = 0.25), the sum / absolute difference 
combining functions allow more efficient attacks than the normalized product 
one. Right of the intersection (e.g. for a n = 0.75), the opposite conclusion holds. 



Fig. 4. Success rate of (simulated) profiled attacks against a masked AES S-box 
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And as shown in Appendix El Figure E3 these attacks have a similar efficiency 
at the intersection that falls around a n = 0.4 (that is, log 10 (c7^) w —0.8). 

Of course, these experiments are partially artificial since in practice, an ad- 
versary who can profile the leakages will generally use the templates based on 
the joint distribution only. At least, this is the best strategy if the adversary 
has enough data and time to profile the multivariate leakage pdf. However, our 
results confirm that an information theoretic analysis provides an objective eval- 
uation of the quality of a countermeasure against the “best-available” template 
adversaries in the DPA setting. Hence, they emphasize that such an analysis is 
an important part in the evaluation of side-channel countermeasures. Also, these 
results lead to the same conclusions as m, and show that resistance against 
sufficiently profiled template attacks cannot be achieved by masking only. 

6 Implications for Non-profiled Attacks: Security 
Analysis (II) 

The previous section showed that for carefully profiled template attacks, there is 
a strong connection between the information leakage of a device and the success 
rate of the adversary. By contrast, we know that in the non-profiled context of 
correlation attacks, this observation does not hold in general. For example, Pear- 
son’s coefficient cannot be used to exploit the leakages corresponding to the sum 
combining of Section 1,4. II Hence, it is natural to check whether there exist other 
non-profiled distinguishers that can be successful in this case. We answer this 
question positively, using the Mutual Information Analysis (MIA) introduced in 

0 . It can be seen as the counterpart of template attacks, in which the leakage 
distributions are estimated “on-the-fly” rather than prior to the attacks. 

The success rates of correlation and MIA attacks (here, and in the rest of the 
paper, computed over 500 independent experiments), using different combining 
functions, are given in Figure 0 again using the (simulated) setting described in 
the previous section. In our experiments, MIA estimates the pdf using histograms 
with Nf, linearly-spaced bins, and Nb corresponding to the number of possible 
values for the models, as proposed in j5] . That is, we use 9 bins per leakage sample 
and we partition the leakage samples according to the 9 Hamming weights of 
the secret state A). The following observations can be emphasized: 

1. In the low noise scenario, MIA with the sum and absolute difference com- 
bining functions works best, as similarly observed for template attacks. 

2. By contrast, and contrary to template attacks, MIA without combining func- 
tion (i.e. using the joint distribution directly, as in jfil 1 8 j ) . is not the most 
efficient solution in our simulations. This is caused by the need to estimate 
two-dimensional distributions, which turns out to require more data. 

3. For similar reasons (i.e. also related to the different efficiency of the “on- 
the-fly” pdf estimation), when increasing the noise, MIA with the sum and 
absolute difference combining functions are not equivalent anymore. 

4. Finally, attacks using Pearson’s correlation coefficient perform well, specially 
when combined with the normalized product (which is natural since our 
simulated leakages perfectly fulfill the requirements of Section 13,11) . 
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Fig. 5. Success rate of (simulated) non-profiled attacks - masked AES S-box 


Importantly, we note that all these non-profiled distinguishes lead to signifi- 
cantly lower efficiencies than the profiled ones in the previous section. 

7 Experimental Results 

The previous sections evaluated the impact of masking an S-box with respect 
to various side-channel distinguishers, based on simulations. But as for most in- 
vestigations in physically observable cryptography, it is important to verify that 
our conclusions are reasonably confirmed by practical measurements performed 
against a real chip. For this purpose, we also carried out a set of attacks against 
a masked implementation of the DES in an 8-bit RISC microcontroller from the 
Atmel AVR family. Considering the DES (rather than the AES) was motivated 
by practical facilities. Since the output of the DES S-box is Tbit wide, it allows 
considering different contexts: in a first (low noise) scenario, the 4 remaining bits 
on the bus are kept constant; in a second scenario, these 4 bits are used in order 
to produce some additional algorithmic noise, by concatenating (secret) random 
strings to the two target values of Figure 0 This is interesting since the noise 
level was an important parameter, e.g. in our simulations of Figure 0 Hence, 
the different scenarios can be used to adapt the noise level in our experimental 
setting as well. The results in Figure 0 bring an interesting complement to our 
previous simulations and lead to the following observations: 

1 . The excellent efficiency of template attack^ and the good behavior of cor- 
relation attacks using the normalized product combining function are again 
exhibited. Interestingly, their respective efficiency gets closer when increas- 
ing the amount of algorithmic noise in the measurements, as it is suggested 
by the information theoretic analysis of Section 0 

2. MIA using the joint distribution is much more efficient than in the AES 
case. This is in fact related to the reduced number of bins that the 4-bit 
DES S-box allows in the pdf estimations {i.e. 25 rather than 81). 

1 We profiled our templates as described in the template-based DPA of na 
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Fig. 6. Success rate of various experimental attacks against a masked DES 


3. The presence of algorithmic noise (in the right part of Figure EJ), affects the 
different distinguishes in a very different manner. To give a single example, 
MIA with the absolute difference combining function is strongly affected by 
this noise addition, compared to its counterpart using Pearson’s coefficient. 

Summarizing, these experiments confirm the “world is not enough” nature of 
second-order DPA that was already underlined in the previous simulations. The 
only strong statement that can be made in this context is that an information 
theoretic metric estimated with perfect templates captures the security against 
the best possible profiled adversary. As for all the other distinguishers, their effi- 
ciency highly depends on the actual shape of the leakage pdf and the engineering 
knowledge that can be exploited when mounting an attack. And contrary to the 
first-order case discussed in m, the Gaussian assumption for the leakage sam- 
ples does not hold anymore from the adversary’s point of view ( e.g . masking 
typically imply mixtures of Gaussians - or other - distributions). 

8 Generalization to Higher-Orders 

In order to improve the security of masking schemes further, one approach is 
to increase their order. For this purpose, this final section analyzes the cost vs. 
security tradeoff that can be obtained by generalizing the GLUT countermeasure 
in such a way, and details the second- and third-order cases for illustration. That 
is, rather than using one input mask per S-box, we now use two or three masks 
per S-box. In terms of cost, this implies using one or two additional tables Sbox" 
and Sbox"', as described, e.g. in 02! • Conveniently, all the tools used in second- 
order DPA can be easily generalized to these third- and fourth-order attack 
cases. In particular, the information theoretic analysis of Section 0 just requires 
to integrate over three or four leakage samples if, if, if and if. 

The information leakage of these different masking schemes is represented in 
Figure Q in function of the noise variance. On the same plot, we represented 
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the average number of queries to the target device required for a perfectly pro- 
filed attack (similar to the ones in Section EJ) to reach a success rate of 90%. 
These figures provide a quantitative insight to the observations in 0, where it is 
demonstrated that, given a large enough noise variance, the data complexity of 
a side-channel attack increases exponentially with the amount of shares in the 
masking scheme. That is, given a noise variance <r 2 in the leakage samples and 
k shares, the data complexity required to attack a masking scheme successfully 
is proportional to (cr 2 ) fe / 2 . The linear regions of the (log scale) curves that are 
observed in the right part of the figure suggest that this expectation is fulfilled 
in our experiments. Importantly, it also shows that the impact of (higher-order) 
masking can be extremely small in terms of security increases, for small ct 2 ’s. 

Note finally that these results give a practical counterpart to the recent the- 
oretical analysis of 0, where it is shown that masking schemes based on secret 
sharing techniques lead to secure implementations if the number of shares is 
adjusted to be large enough with respect to the noise in the measurements. 

8.1 A Case for the Information Theoretic Metric 

Looking at Figured the main question for a designer (or evaluation laboratory) 
is to best trade the amount of shares and the amount of noise that he has to add 
to his implementation, in order to reach a certain security level. This is essential 
since increasing these parameters has a strong impact on the performance of the 
implementation. Unfortunately, for high security levels, the proper estimation of 
the number of traces required to reach a certain success rate becomes intensive 
(because of statistical sampling issues). Already in simulations, running 1000 
attacks, each of them using 10 5 queries, is time consuming. And when mov- 
ing to the analysis of real traces (taking much more time to be generated and 
space to be stored), this limitation becomes even more critical. Interestingly, this 
is exactly the context where an information theoretic analysis becomes useful. 
Given a leakage model, the mutual information 1(5; L j . L*(, . . .) can be estimated 
with less data than the success rate of the corresponding template attack. And 
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Fig. 8. Information leakage and success 


1 st , 2 nd and 3 rd -order masking 


following EDI, Theorem 2, it should hold that this mutual information is rea- 
sonably correlated with the number of traces required to reach a certain success 
rate. In order to confirm this expectation, we plotted an estimation of this num- 
ber, based on the inverse of the mutual information multiplied with a constant 
factor c. As illustrated in Figure |H1 this approximation holds nearly perfectly, 
with the same constant c for all attacks, essentially depending on the success 
rate to reach (here 90%) . Summarizing, these simulations confirm the relevance 
of an information theoretic analysis when designing countermeasures against 
side-channel attacks. 

Before to conclude, we note again that such an information theoretic analysis 
only captures the most powerful adversaries for which the profiling of the leakage 
distributions is perfect. But in practice, the reduction of the information leakage 
is not the only effect that increases the security in masked implementations. 
Namely, the pdf estimation of multidimensional distributions may become too 
complex for allowing the exploitation of all the information in the traces. And 
the number of pairs, triples, etc. of samples to test in the attacks also increases 
their time complexity considerably (up to N 2 , N 3 , etc.). However, we believe 
that the formal analysis of a worst-case scenario as in this paper is an important 
step towards a better understanding of the masking countermeasure. 

9 Conclusions 

The results in this paper provide a first complete and unifying treatment of 
higher-order power analysis. They allow putting forward the strengths and weak- 
nesses of various approaches to second-order DPA and provide a sound expla- 
nation for them. Our analysis illustrates that in the context of cryptographic 
devices protected with masking, it is not sufficient to run a single arbitrary dis- 
tinguisher to quantify the security of an implementation. Evaluations should 
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hold in two steps. First, an information theoretic analysis determines the actual 
information leakage ( i.e . the impact of the countermeasure, independently of 
the adversary). Second, a security analysis determines the efficiency of various 
distinguishes in exploiting this leakage. By applying such a methodology to 
simulations and practical experiments, we consequently obtain a fair and com- 
prehensive evaluation of the security level that a masking scheme can ensure. 

While not in contradiction with previous results in the field, these investiga- 
tions reshape the understanding of certain assumptions and allow refined intu- 
itions. First, theoretical analysis and empirical attacks sometimes show a large 
gap between the efficiency of profiled attacks that best exploit the information 
from two or more leakage samples and the one of non-profiled attacks that are 
most frequently used in practice. This relates to the observation that the statis- 
tics in side-channel attacks are only used to discriminate secret data (while their 
natural objective is to allow a good estimation). Hence, the study of advanced 
pdf estimation techniques in the context of side-channel attacks is an interesting 
direction for further research, as initiated with MIA in . 

Second, the security improvement obtained when increasing the order of a mask- 
ing scheme beyond one is negligible if it is not combined with a sufficient amount of 
noise in the leakages. This observation relates to the generally accepted intuition 
that side-channel resistance requires the combination of several countermeasures 
in order to be effective. We additionally show in this paper that an information 
theoretic analysis has very convenient features for evaluating this noise threshold 
precisely. As a result, the best combination of masking with other countermea- 
sures ( e.g . dual rail logic styles, time randomization, etc.) is a second interesting 
scope for further research. Finally, the relationship between the mutual informa- 
tion and the success rate of a profiled attack, that is experimentally exhibited in 
this paper in the context of second- (and higher-) order DPA, could be analyzed 
in order to obtain a more formal justification of it, e.g. under the assumption of 
Gaussian noise in the leakages. 
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Abstract. Non-linear feedback shift registers are widely used in light- 
weight cryptographic primitives. For such constructions we propose a gen- 
eral analysis technique based on differential cryptanalysis. The essential 
idea is to identify conditions on the internal state to obtain a determinis- 
tic differential characteristic for a large number of rounds. Depending on 
whether these conditions involve public variables only, or also key vari- 
ables, we derive distinguishing and partial key recovery attacks. We apply 
these methods to analyse the security of the eSTREAM finalist Grain vl 
as well as the block cipher family KATAN /KTANTAN. This allows us to 
distinguish Grain vl reduced to 104 of its 160 rounds and to recover some 
information on the key. The technique naturally extends to higher order 
differentials and enables us to distinguish Grain-128 up to 215 of its 256 
rounds and to recover parts of the key up to 213 rounds. All results are the 
best known thus far and are achieved by experiments in practical time. 

Keywords: differential cryptanalysis, NLFSR, distinguishing attack, 
key recovery, Grain, KATAN/KTANTAN. 


1 Introduction 

For constrained environments like RFID tags or sensor networks a number of 
cryptographic primitives, such as stream ciphers and lightweight block ciphers 
have been developed, to provide security and privacy. Well known such crypto- 
graphic algorithms are the stream ciphers Trivium 0 and Grain f 1211. 'll that have 
been selected in the eSTREAM portfolio of promising stream ciphers for small 
hardware 0, and the block cipher family KATAN/KTANTAN 0. All these 
constructions build essentially on non-linear feedback shift registers (NLFSRs). 
These facilitate an efficient hardware implementation and at the same time en- 
able to counter algebraic attacks. 

Stream ciphers and block ciphers both mix a secret key a and public param- 
eter (the initial value for stream ciphers and the plaintext for block ciphers) 
in an involved way to produce the keystream or the ciphertext, respectively. 
In cryptanalysis, such systems are often analysed in terms of boolean functions 
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that to each key k and public parameter x assign an output bit f(k,x). Several 
cryptanalytic methods analyse derived functions from /. They can be roughly 
divided into algebraic and statistical methods. The cube attack presented in 0 
is an algebraic method. It consists in finding many derivatives of / that are 
linear in the key bits such that the key can be found by solving a system of 
linear equations. The d-monomial test introduced in |ll)j provides a statistical 
framework to analyse the distribution of degree d monomials in the algebraic 
normal form of /. Another statistical approach is presented in mum, where the 
concept of probabilistc neutral key bits is applied to derivatives of /. The notion 
of cube testers introduced in j2| covers many of these methods. All of them have 
in common that they interact with / mainly in a black box manner, exploiting 
the structure of the underlying primitive only indirectly. 

In this paper we propose a general analysis principle that we call conditional dif- 
ferential cryptanalysis. It consists in analysing the output frequency of derivatives 
of / on specifically chosen plaintexts (or initial values). Differential cryptanalyis, 
introduced in j3| for the analysis of block ciphers, studies the propagation of an 
input difference through an iterated construction and has become a common tool 
in the analysis of initialization mechanisms of stream ciphers, see [31711 8j . In the 
case of NLFSR-based constructions, only few state bits are updated at each iter- 
ation, and the remaining bits are merely shifted. This results in a relatively slow 
diffusion. Inspired by message modification techniques introduced in m for hash 
function cryptanalysis, we trace the differences round by round and identify con- 
ditions on the internal state bits that control the propagation of the difference 
through the initial iterations. From these conditions we derive plaintexts (or ini- 
tial values) that follow the same characteristic at the initial rounds and allow us 
to detect a bias in the output difference. In some cases the conditions also involve 
specific key bits which enables us to recover these bits in a key recovery attack. 

The general idea of conditional differential cryptanalysis has to be elaborated 
and adapted with respect to each specific primitive. This is effected for the block 
cipher family KATAN and its hardware optimized variant KTANTAN as well as 
for the stream ciphers Grain vl and Grain-128. The analysis of the block cipher 
family KATAN/KTANTAN is based on first order derivatives and nicely illus- 
trates our analysis principle. For a variant of KATAN32 reduced to 78 of the 254 
rounds we can recover at least two key bits with probability almost one and com- 
plexity 2 22 . Comparable results are obtained for the other members of the family. 
We are not aware of previous cryptanalytic results on the KATAN /KTANTAN 
family. The analysis of Grain vl is similar to that of KATAN, however the in- 
volved conditions are more sophisticated. We obtain a practical distinguisher 
for up to 104 of the 160 rounds. The same attack can be used to recover one 
key bit and four linear relations in key bits with high probability. Grain vl was 
previously analysed in [ZJ, where a sliding property is used to speed up exhaus- 
tive search by a factor two, and in [Tj, where a non-randomness property for 81 
rounds could be detected. 

Conditional differential cryptanalysis naturally extends to higher order deriva- 
tives. This is demonstrated by our analysis of Grain-128, which, compared to 
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Grain vl, is surprisingly more vulnerable to higher order derivatives. We get a 
practical distinguisher for up to 215 of the 256 rounds and various partial key 
recovery attacks for only slightly less rounds. For a 197 round variant we re- 
cover eight key bits with probability up to 0.87, for a 213 round variant two key 
bits with probability up to 0.59. The previously best known cryptanalytic result 
was a theoretical key recovery attack on 180 rounds, and was able to speed up 
exhaustive key search by a factor 2 4 , but without the feasibility to predict the 
value of single key bits, see EH. Moreover, a result in El mentions key recovery 
for up to 192 rounds and in El a non-randomness property was detected in a 
chosen key scenario. 

The paper is organised as follows. Section |2| recalls the definition of higher 
order derivatives of boolean functions and discusses the application of frequency 
tests to such derivatives. Section 0 provides the general idea of conditional differ- 
ential cryptanalysis of NLFSR-based cryptosystems. In the Sections 0 0 and El 
this idea is refined and adapted to a specific analysis of the KATAN /KTANTAN 
family, Grain vl and Grain-128. 

2 Notation and Preliminaries 

In this paper F 2 denotes the binary field and FJ the n-dimensional vector space 
over F 2 . Addition in F 2 is denoted by +, whereas addition in F^ is denoted by ® 
to avoid ambiguity. For 0 < i < n — lwe denote e x £ F£ the vector with a one 
at position i and zero otherwise. 

We now recall the definition of the i-th derivative of a boolean function in- 
troduced in j 15116; and we discuss the application of a frequency test to such 
derivatives. 


2.1 Derivatives of Boolean Functions 

Let / : F 2 — > F 2 be a boolean function. The derivative of f with respect to 
a £ F£ is defined as 

A a f{x) = f(x © a) + f(x). 

The derivative of / is itself a boolean function. If a = {aq, . . . , a,; } is a set of 
vectors in Fg, let L(a ) denote the set of all 2* linear combinations of elements 
in a. The i-th derivative of f with respect to a is defined as 

A a ) f(x)= f( x ® c )- 

ceL(a) 

We note that the i-th derivative of / can be evaluated by summing up 2* eval- 
uations of /. We always assume that oq, . . . ,<Xj are linearly independent, since 
otherwise f(x) = 0 trivially holds. If we consider a keyed boolean function 
f(k, •) we always assume that the differences are applied to the second argument 
and not to the key. 
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2.2 Random Boolean Functions and Frequency Test 

Let D be a non-empty subgroup of F'fj. A random boolean function on D is a 
function D —> F 2 whose output is an independent uniformly distributed random 
variable. If / is a random boolean function on D, the law of large numbers says 
that for sufficiently many inputs xi,...,x e G D the value 


* _ ELi f( x k) ~ s / 2 


approximately follows a standard normal distribution. Denoting 



the standard normal distribution function, a boolean function is said to pass the 
frequency test on aq, . . . , x s at a significance level a if 


£(f) < 1 - | 


A random boolean function passes the frequency test with probability 1 — a. If 
the frequency test is used to distinguish a keyed boolean function f(k, •) from a 
random boolean function, we denote by /3 the probability that f(k, •) passes the 
frequency test for a random key k. The distinguishing advantage is then given 

by 1 — a — 0, 

2.3 Frequency Test on Derivatives 

If a = {ai, . . . , a*} is a set of linearly independent differences, the i-tli derivative 
of a boolean random function is again a boolean random function. Its output is 
the sum of 2 l independent uniformly distributed random variables. But for any 
two inputs x, x' with x © x' G L(a) the output values are computed by the same 
stun and thus A^f( x) = A^ 1 f(x'). Hence, the i-th derivative is not a random 
function on D, but on the quotient group D/L(a). A frequency test of A$ f on 
s inputs needs s2 l queries to /. 

3 Conditional Differential Cryptanalysis of NLFSR 

This section provides the general idea of our analysis. It is inspired by message 
modification techniques as they were introduced in [T2J to speed up the collision 
search for hash functions. We trace differences through NLFSR-based cryptosys- 
tems and exploit the non-linear update to prevent their propagation whenever 
possible. This is achieved by identifying conditions on the internal state vari- 
ables of the NLFSR. Depending on whether these conditions involve the public 
parameter or also the secret key, they have to be treated differently in a chosen 
plaintext attack scenario. The goal is to obtain many inputs that satisfy the con- 
ditions, i.e. that follow the same differential characteristic at the initial rounds. 
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In more abstract terms, we analyse derivatives of keyed boolean functions and 
exploit that their output values are iteratively computed. 

We briefly explain NLFSR-based cryptosystems and why our analysis princi- 
ple applies to them. Then we define three types of conditions that control the 
difference propagation in NLFSR-based cryptosystems and we explain how to 
deal with each of these types in a chosen plaintext (chosen initial value) attack 
scenario. The basic strategy is refined and adapted in the later sections to derive 
specific attacks on KATAN/KTANTAN, Grain vl and Grain-128. 


3.1 NLFSR-Based Cryptosystems 

An NLFSR of length l consists of an initial state so, . . . , s*_i e F 2 and a recursive 
update formula si + i = g(si , . . . , s/+j_i) for i > 0, where g is a non-linear boolean 
function. The bit si + i is called the bit generated at round i and Si+i-i is 

called the state of round i — 1. Our analysis principle applies to any cryptographic 
construction that uses an NLFSR as a main building block. These constructions 
perform a certain number of rounds, generating at each round one or more bits 
that non-linearly depend on the state of the previous round. It is this non-linear 
dependency that we exploit in conditional differential cryptanalysis. 

Let / : F™ x F£ — > F 2 denote the keyed boolean function that to every key 
k and public parameter x assigns one output bit f(k,x) of an NLFSR-based 
construction. If we consider a first order derivative of the function /, we apply 
a difference a e F£ to the public parameter. The value A a f(k,x ) then denotes 
the output difference f(k, x ) + f(k. x(Ba). If si is a state bit of our construction, 
we denote A a Si(k,x) the difference in this state bit for the key k, the public 
parameter x and the difference a. 


3.2 Conditions and Classification 

We now introduce the concepts of our analysis principle. In general, the difference 
of a newly generated state bit depends on the differences and the values of 
previously generated state bits. Each time that A a Si(k,x ) non-linearly depends 
on a bit that contains a difference, we can identify conditions on previously 
generated state bits that control the value of A a Si(k,x). In most cases, the 
conditions are imposed to prevent the propagation of the difference to the newly 
generated state bits. In particular it is important to prevent the propagation at 
the initial rounds. Since we want to statistically test the frequency of A a f(k, ■) 
on inputs that satisfy the conditions, there is an important tradeoff between the 
number of imposed conditions and the number of inputs that we can derive. The 
conditions can not only involve bits of x, but also bits of k. We classify them 
into three types: 

— Type 0 conditions only involve bits of x. 

— Type 1 conditions involve bits of x and bits of k. 

— Type 2 conditions only involve bits of k. 
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In a chosen plaintext (chosen initial value) scenario, type 0 conditions can easily 
be satisfied by the attacker, whereas he cannot control type 2 conditions at all. 
In most cases, type 2 conditions consist of simple equations and the probability 
that they are satisfied for a uniformly random key can easily be determined. 
Since we do not assume that our attacks can be repeated for more than one 
key, type 2 conditions generally decrease the advantage of distinguishing attacks 
and define classes of weak keys for this kind of attacks. On the other hand we 
specifically exploit type 2 conditions to derive key recovery attacks based on 
hypothesis tests. This is explained in Section El where we analyse Grain-128. 

In a different way, also type 1 conditions can be used to recover parts of the 
key. To deal with the type 1 conditions, we introduce the concept of free bits. 
Suppose that the state bit s t depends on x as well as on some bits of k, and 
suppose that we want to satisfy the type 1 condition s* = 0. In a chosen plaintext 
scenario, we cannot control this condition in a simple way. We call those bits 
of x that do not influence the value of s t for any key k, the free bits for the 
condition. The remaining bits of x are called non-free. Together with k the non- 
free bits determine whether the condition is satisfied or not. We call x a valid 
input if, for a given key k, it satisfies the imposed condition. If we define the set 
ip as ip = {ei G Fgjzj is a free bit} then we can generate 2^ valid inputs from 
a single valid input x: these are the elements of the coset x ® L(<p). In general, 
more than one type 1 condition are imposed. In that case, the free bits are those 
that are free for all of these conditions. In some cases it may be possible to 
give a finite number of configurations for the non-free bits such that at least 
one configuration determines a valid input. Otherwise, if t type 1 conditions are 
imposed, we expect that about one of 2* different inputs is valid and we just 
repeat the attack several times with different random inputs. 

In some cases we can not obtain enough inputs only by the method of free 
bits. We then try to find non-free bits that only must satisfy a given equation but 
otherwise can be freely chosen. This provides us with more degrees of freedom 
to generate a sample of valid inputs. We refer to the analysis of KATAN and 
Grain vl for concrete examples of this method. 

3.3 Choosing the Differences 

The choice of a suitable difference for conditional differential cryptanalysis is not 
easy and strongly depends on the specific construction. In particular this holds 
for higher order derivatives, but also for first order ones. In general, the difference 
propagation should be controllable for as many rounds as possible with a small 
number of conditions. In particular, there should not be too many type 1 and 
type 2 conditions at the initial rounds. Differences which can be controlled by 
isolated conditions of type 1 or type 2 are favorable for key recovery attacks. 

The set of differences for higher order derivatives can be determined by com- 
bining first order differences whose characteristics do not influence each other 
at the initial rounds. In a non-conditional setting, [I] describes a genetic algo- 
rithm for finding good sets of differences. This black-box approach did not yield 
particularly good sets for our conditional analysis. 
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4 Analysis of KATAN/KTANTAN 

KATAN/KTANTAN is a family of lightweight block ciphers proposed in jSJ- The 
family consists of six ciphers denoted by KATANn and KTANTANn for n = 
32,48,64 indicating the block size of the cipher. All instances accept an 80-bit 
key and use the same building blocks, namely two NLFSRs and a smah LFSR 
acting as a counter. The only difference between KATANn and KTANTANn is 
the key scheduhng. 

In the following we describe KATAN32 and provide the details of our analysis 
for this particular instance of the family. Our analysis of the other instances is 
very similar. We only sketch the differences and provide the empirical results. 

We emphasize that our analysis does not reveal a weakness of any of the 
original KATAN/KTANTAN ciphers. In contrary, with respect to our method, 
it seems that the number of rounds is sufficiently large to provide a confident 
security margin. 

4.1 Description of KATAN32 

The two NLFSRs of KATAN32 have length 13 and 19 and we denote their states 
by ^ .... , l i+ 12 and r, : , . . . , r, + ig, respectively. A 32-bit plaintext block x is loaded 
to the registers by U = xsi -i for 0 < i < 12 and r t = x^s-i for 0 < i < 18. The 
LFSR has length 8 and we denote its state by Cj, . . . , Ci+7. Initialization is done 
by Ci = 1 for 0 < i < 6 and C7 = 0. The full encryption process takes 254 rounds 
defined by 

Ci+8 = Ci + Cj + i + Ci- 1_3 + Cj+8, 

k +13 = n + r i+ u + r i+6 r i+8 + r i+ ior i+ i 5 + k 2i+ i, 
fi+19 =h + h+5 + h+4,h + 7 + h+9Ci + k 2 i, 
where ko , . . . , A79 are the bits of the key and ki is recursively computed by 
^'+80 = kj + kj + 19 + kj + 30 + fcj-|_67 

for i > 80. Finally, the states of the two NLFSRs are output as the ciphertext. 
If we consider a round-reduced variant of KATAN32 with r rounds, the bits l r+ i 
for 0 < i < 12 and r r+ i for 0 < i < 18 will be the ciphertext. 

4.2 Key Recovery for KATAN32 Reduced to 78 Rounds 

Our analysis is based on a first order derivative and uses the concept of free 
bits to satisfy type 1 conditions. Here, to obtain enough inputs, we will identify 
non-free bits that only must satisfy an underdefined system of linear equations, 
which gives us more freedom degrees generate the samples. 

We consider a difference of weight five at the positions 1,7,12,22 and 27 of the 
plaintext block. Let a = e 1 ® e7 ® ei2 ® e 22 ® e 2 i denote the initial difference. At 
round 0 we have 


A a li 3 (k,x) alf Z10, 
A a rig(k,x) = x 24 , + 1 
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and impose the conditions xio = 1 and x 2 a = 1 to prevent the difference propa- 
gation. Similarly at the rounds 1 , 2 , 3 and 5 , we impose the bits £2, Xg.Xg, Xg, Xig, 
X25 to be zero. At round 7 we have 

A a l 20 (k,x) = r 2 2 

and we impose the first type 1 condition 

T\ 22 = £28 + £23 + £21 + ke = 0 . 

At round 9 we impose £3 = 0. Then three additional type 1 conditions 

£ 19 = £31 + £26 + £27 + £22 + fco = 1 , 

£23 = £27 + £22 + X23X20 + £18 + £7 + £12 + k\ + kg = 0 , 

£26 = 1 + £20 (£17 + ^3) + k\i = 0 

are imposed at the rounds 11 , 13 and 20 . 

The free bits for these conditions can be directly read from the equations. 
They are: 

£ 0 , £4, £ 8 , £11, £13, £14, £15, £16, £29 and £ 30 . 

So far, for any valid plaintext we can derive a sample of 2 10 valid plaintexts. Since, 
in this case, this is not enough to perform a significant frequency test, we try to 
obtain larger samples by better analysing the non-free bits. Looking at the equa- 
tions (HJ to we note that the non-free bits £7, £12, £18, £21, £22, £26, £27, £28 
and £31 only occur linearly. They can be freely chosen as long as they satisfy 
the system of linear equations 

£28 + £21 = A 

£31 + £26 + £27 + £22 = B 
£27 + £22 + £18 + £7 + £12 = C 

for constants A, B, C. This system has 2 6 different solutions that can be added to 
each valid plaintext. In total this gives a sample of size 2 16 that we can generate 
from a valid plaintext. Since we imposed 9 type 0 conditions we are left with 
2 5 different samples of plaintexts for a given key. The conditions are satisfied 
for at least one of these samples. On this sample the difference in bit 18 of 
the ciphertext after 78 rounds (this is bit £73) is strongly biased. We perfom a 
frequency test of A a rrs(k, •) on each of the 2 5 generated samples. At significance 
level a = 1 0 4 the frequency test fails on at least one of them with probability 
almost one, and if it fails, all four type 1 conditions are satisfied with probability 
almost one. This allows us to recover ko, kg, the relation k\ + k% and either ku 
(if £20 = 0 ) or the relation kg + £44 with high probability. The complexity of this 
attack is 2 22 . 

4.3 Analysis of KATAN48 and KATAN64 

All the three members of the KATAN family perform 254 rounds, they use the 
same LFSR and the algebraic structure of the non-linear update functions is 


(1) 


(2) 

( 3 ) 

( 4 ) 
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the same. The differences between the KATANn ciphers are the block size n, 
the length of the NLFSRs, the tap positions for the non-linear update and the 
number of times the NLFSRs are updated per round. 

For KATAN48 the NLFSRs have length 19 and 29 and each register is updated 
twice per round. We obtained our best result with a difference of weight four 
at the positions 1, 10, 19 and 28 in the plaintext block. Imposing four type 0 
conditions and two type 1 conditions we are able to derive a sample of size 2 31 
from a valid plaintext. This allows us to recover the key bit ki 2 and the relation 
ki + ku after 70 rounds (this corresponds to 140 updates of the NLFSRs) with 
a complexity of 2 34 . 

For KATAN64 the NFLSRs have length 25 and 39 and each register is updated 
three times per round. We obtained our best result with a difference of weight 
three at the positions 0, 13 and 26. Imposing six type 0 conditions and two 
type 1 conditions we are able to derive a sample of size at least 2 32 from a valid 
plaintext. This allows us to recover k -2 and k\ + k$ after 68 rounds (204 updates 
of the NLFSRs) with a complexity of 2 35 . 

4.4 Analysis of the KTANTAN Family 

KTANTANn is very similar to KATANn. They only differ in the key scheduling 
part. In KATAN the key is loaded into a register and linearly expanded to 
the round keys after round 40. Until round 40 the original key bits are used 
as the round keys. In KTANTAN, from the first round, the round keys are a 
linear combination of key bits (depending on the state of the counter LFSR, 
which is entirely known). Hence, our analysis of KATANn directly translates 
to KTANTANn, but instead of recovering a single key bit, we recover a linear 
relation of key bits. For instance in KATAN32 we recover the relation kr + ku 
instead of bit ko. 

5 Analysis of Grain vl 

Grain vl is a stream cipher proposed in H3 and has been selected for the final 
eSTREAM portfolio |2j. It accepts an 80-bit key k and a 64-bit initial value x. 
The cipher consists of three building blocks, namely an 80-bit LFSR, an 80-bit 
NLFSR and a non-linear output function. The state of the LFSR is denoted 
by Si, ... , Sj+79 and the state of the NLFSR by 6+ . . . , 61+79. The registers are 
initialized by 6* = ki for 0 < * < 79, s* = Xi for 0 < i < 63 and = 1 for 
64 < i < 79 and updated according to 

Si+80 = f(Si, • • • , Sj+79), 
bi+80 = g(bi, . . . , 63+79) + Si, 

where / is linear and g has degree 6. The output function is taken as 

Zi = ^ i+k “l~ ^( S *+3> S *+ 25, Sj+46; Si+64, 6+1-63), 
keA 
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where A = {1,2,4, 10, 31, 43, 56} and h is defined as 

h( s i+ 3, Sj+25, Sj+46, Sj+64, &i+ 63) = 25 + h+63 

+ Si+3«i+64 + Sj+46Si+64 + Sj+64&i+63 
+ Si+3«i+25Si+46 + Si+3Sj+46Si+64 + Sj+3Sj+46^i+63 
# «i+25Si+46^i+63 + Sj+46Sj+64&i+63 

The cipher is clocked 160 times without producing any keystream. Instead the 
output function is fed back to the LFSR and to the NLFSR. 

If we consider round-reduced variants of Grain vl with r initialization rounds, 
the feedback of the output stops after r rounds and the first keystream bit is z r . 

Our analysis is similar to the one of KATAN32, but the equations for the 
conditions are more complex. We first present an attack on 97 rounds and then 
extend it to 104 rounds. 


5.1 Distinguishing Attack and Key Recovery for 97 Rounds 

Our analysis is based on the first order derivative with respect to a single dif- 
ference in bit 37 of the initial value. Let a = e 37 denote the difference. The 
first conditions are defined at round 12, where the difference in S 37 eventually 
propagates to the state bits S92 and 692 via the feedback of 2-12- We have 

A a Zi2{k, x) = 1 + £152:58 + X58&75- 

We impose the type 0 condition 2:58 = 1 and we define the type 1 condition 
2:15 + k 73 = 0 to prevent the propagation. The next conditions are determined 
at round 34, where we have 

A a Z 34 {k, x) = S98 + 2:59880 + S 80S98 + 580^97- 

We define the conditions sso = 0 and sgg = 0. Similarly we determine S86 = 0 
and S92 = 0 at the rounds 40 and 46, respectively. So far, we imposed one type 0 
condition at round 12 and we have five type 1 conditions at the rounds 12, 34, 
40 and 46. The type 1 conditions jointly have 25 free bits: 

X 7 , X 8 , X 10 ,Xu,X 14 , x 16 ,x 17 , X20, X22,X24, X 2 8, X 30 ,X 3 2, X 33 , 
x 3 4 , 2:36 , 2:39 , 2:42 , 2:45 , 2:49 , 2:54 , 2:55 , 2:59 , xeo and 2:61 . 

In average we expect that one out of 2 5 randomly chosen initial values satisfies 
the conditions. We define a distinguisher that chooses 2 5 random initial values 
and for each performs a frequency test of A a zg 7 (k , •) on the sample of 2 25 inputs 
generated by the free bits. Instead of randomly choosing 2 5 initial values we can 
choose 2 4 and test each of them for 2:15 = 0 and 2:15 = 1. This guarantees that 
the condition from round 12 is satisfied for at least one of them. Experiments 
with 2 10 keys at a significance level a = 0.005 show that at least one of the 2 5 
tests fails with probability 0.99. This gives a distinguisher with complexity 2 31 
and advantage of about 0.83 for Grain vl reduced to 97 rounds. 
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The two conditions £15 + £75 = 0 and sge = 0 are crucial to obtain a significant 
bias after 97 rounds. In a key recovery scenario this reveals information about 
the key. Experiments show that both conditions hold with probability almost 
one if the frequency test fails. This recovers the key bit k 75 and the value of 
k7 + kg + kio + &37 + &49 + kg2 + &69 (coming from s 86 = 0 ). 

5.2 Extension to 104 Rounds 

Using the same conditions as before, we extend the attack to 104 rounds. We 
use the same idea as for KATAN32 to increase the size of the sample that can 
be generated from one initial value. We gain four additional degrees of freedom 
by noting that the non-free bits Xq, X29 , X44 and X57 influence only the 

condition imposed at round 40 and must only satisfy the linear equation 

x 6 + x 19 + x 2 9 + Z 44 + x 57 = A 

for a constant A. In total, we can now derive a sample of size 2 29 from one initial 
value. 

The distinguisher defined above has now a complexity of 2 35 and advantage 
of about 0.45. When the frequency test fails, the conditions X 15 + kn = 0 and 
S92 = 0 are satisfied with a probability almost one, which gives us k 7 g and the 
value of k\g + kn + fye + k-i'i + fc 4 .3 + &55 + &68 (coming from S92 = 0). The 
remaining three conditions are satisfied with a probability about 0.70 and give 
us similar relations in the key bits. 

The sample size can be further increased, because also the non-free bits 
Zi3,:r23, £38, £51 and Xq-2 only must satisfy a linear equation. This gives a distin- 
guisher with complexity 2 39 and advantage of about 0.58. 

6 Analysis of Grain-128 

Grain-128 was proposed in D 2 | as a bigger version of Grain vl. It accepts a 
128-bit key k and a 96-bit initial value x. The general construction of the cipher 
is the same as for Grain vl, but the LFSR and the NLFSR both contain 128- 
bits. The content of the LFSR is denoted by Sj, . . . , Sj+127 and the content of 
the NLFSR is denoted by 6 ,, . . . , fei+m- The initialization with the key and the 
initial value is analogous to Grain vl and the update is performed according to 

Si+128 = f(Si, • • • , Si+127) j 
bi + 128 = g(bi , . . . , frj+m) + Si, 

where / is linear and g has degree 2. The output function is taken as 

Zi = bi+k + h(bi + 12, Si + 8, Si+13, Sj+20j 95, 42, Sj+60, Sj+79, «i+95)j 

keA 

where A = {2, 15, 36, 45, 64, 73, 89} and h is defined as 

h{x) = 6j + l2Sj+8 + Sj+13Sj+20 + b i+ 95Si + 42 + Sj + 60Sj+79 + &i+12&i+95Sj+95 
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The cipher is clocked 256 times without producing any keystream. Instead the 
output function is fed back to the LFSR and to the NLFSR. 

If we consider round-reduced variants of Grain-128 with r initialization rounds, 
the feedback of the output stops after r rounds and the first keystream bit is z r . 

For the analysis of Grain-128 we use higher order derivatives. The general 
idea of conditional differential cryptanalysis naturally extends. As in the case of 
first order derivatives we always assume that the differences are applied to the 
initial value and not to the key. 

6.1 Distinguishing Attack up to 215 Rounds 

Our attack is based on a derivative of order thirteen with respect to the set of 
differences 


a = {e 0 , ei, e 2 , e 3 4, e 35 , e 36 , e 37 , e 6 5, e 6 6, e 6 7, e e s, e69, egs}. 

These differences are chosen because they do not influence each other in the 
initial rounds. As a consequence the corresponding differential characteristic (of 
order thirteen) is zero for as many as 170 rounds. This can be extended to 190 
rounds by imposing simple type 0 conditions that control the propagation of 
each single difference. As an example we derive the conditions for the difference 
e65- The first condition is derived from round 5, where we have 

A e65 Z5(k,x) = £84- 

We impose £84 = 0. In the same way the conditions £58 = 0 and £ 72 = 0 prevent 
difference propagation at rounds 45 and 52. At round 23 we have 

A e 65 Z 23 (k,x) = kn&. 

As we will see below, the type 2 condition kns = 0 determines a class of weak 
keys for the distinguishing attack. 

Proceeding the same way for the other differences we derive 24 type 0 con- 
ditions that consist in setting the following bits to zero: £ 27 , £ 2 s, £ 2 g, £ 3 o, £41, 
X42, X43, £44, £58, X59, £60, Xei, £62, £72, £ 73 , £ 7 4, £ 7 5, £76, X77, £34, ^85, ^86, 
£87, £88- In addition to fens the key bits /c 3 g , big, &120 and k-m can be identified 
to define classes of weak keys. 

There are 2 96-13-24 = 2 59 initial values that are different in F %/L(a) and 
satisfy all type 0 conditions. We define a distinguisher that performs a frequency 
test of A^ z r (k,-) on 2 12 of these inputs. Tabled summarizes the empirical 
results obtained for 2 12 different keys tested at a significance level a = 0.005. The 
indicated values denote the probabilty 1 — /?, where 13 denotes the probability that 
Aa ' :i ^ z r (k, •) passes the frequency test. Our distinguisher has complexity 2 25 and 
advantage 1— a— /3. The values in the first row are obtained without any condition 
on the key. They show that we can distinguish Grain-128 reduced to 215 rounds 
with an advantage of about 0.008. The other rows indicate the probabilities for 
the classes of weak keys defined by the indicated type 2 conditions. 
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Table 1. Distinguishing attack on Grain-128 reduced to r rounds: Probability 1 — /? 
for a = 0.005 and complexity 2 28 . Type 2 conditions define classes of weak keys. 


type 2 
condition 

r = 203 

r = 207 

r = 211 

r = 213 

r = 215 

- 

1.000 

0.587 

0.117 

0.173 

0.013 

fe 3 9 = 0 

1.000 

0.630 

0.128 

0.275 

0.017 

fcll8 = 0 

1.000 

0.653 

0.177 

0.231 

0.024 

fcll9 = 0 

1.000 

0.732 

0.151 

0.267 

0.025 

ki2o = 0 

1.000 

0.876 

0.234 

0.249 

0.026 

kl22 = 0 

1.000 

0.668 

0.160 

0.285 

0.015 


6.2 Key Recovery up to 213 Rounds 

In this section we specifically exploit type 2 conditions to recover single key bits 
with high probability. The attack is explained by a prototypical example that 
recovers three bits of Grain-128 reduced to 197 rounds with a probability up to 
0.87. It is based on a derivative of order five and can easily be extended to recover 
more bits by using slightly other derivatives. This is demonstrated by an attack 
that recovers eight bits using two additional derivatives (both of order five). A 
second attack uses the derivative of order thirteen from the previous section and 
recovers three bits for Grain-128 reduced to 213 rounds with a probability up to 
0.59. 

Prototypical Example. We use a derivative of order five with respect to the 
differences cr = { e j , esa , ege , < 267 , egs } ■ In the same way as in the distinguishing 
attack, we impose conditions on the initial value to control the propagation of 
each difference. Altogether we impose 12 type 0 conditions and denote by W 
the set of initial values satisfying all of them. The crucial observation is the 
following. The key bit ki 2 i controls the characteristic of e%% in the very early 
phase of initialization, namely at round 26. If ki 2 i = 1 the difference propagates, 
otherwise it does not. This strongly influences the frequency of A^z r (k, •) after 
r = 197 rounds. Similar strong influences can be found for k±o after r = 199 
rounds and for ku 9 after r = 200 rounds. This allows to recover these bits by a 
binary hypothesis tests. 

Key Recovery by Hypothesis Test. Let X be a uniformly distributed random 
variable taking values in W/L(a) and define 

p r (k) = Pv[A^z r (k,X) = 1], 

If the key is considered as a uniformly distributed random variable K, p r (K) is 
a random variable in the interval [0,1]. Our attack is based on the observation 
that the conditional distributions of p r (K) conditioned on A,: = 0 and I<i = 1, 
for well chosen i, strongly differ even for a large number of rounds. This can be 
exploited to perform a binary hypothesis test on the value of A*. An attacker 
can estimate a single observation p r of p r (K) to take her decision. Since in all 
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our attacks the expectation of p r (K ) conditioned on Kj = 0 is significantly 
smaller than the conditional expectation conditioned on if, = 1, we determine 
a parameter n € [0,1] and take our decision according to the rule defined as 

|0 if Pr < 7T 
1 otherwise. 

The success probability of the attack essentially depends on the choice of n. If we 
denote a = Pr[p r (K) > n \ K, = 0] the probability that we falsely guess Kj = 1 
and /3 = Pr \p r (K) < 7r | Kj = 1] the corresponding probability that we falsely 
guess Kj = 0, then the probability of a correct decision, denoted P c , is given as 

P c = l — (a + /?)/2. 

An optimal n maximizes P c . Since the conditional distributions of p r (K) are not 
known explicitely, we empirically determine n in a precomputation phase of the 
attack. 

Back to the Example. The first row of Table El shows the precomputed pa- 
rameters 7 r and the resulting probability P c for our prototypical example. The 
precomputation of each n was done for 2 14 key pairs and 2 14 initial values for 
each key. This gives an overall precomputation complexity of 6 • 2 33 since we 
have to compute two histograms for each key bit. The attack itself consists in 
estimating p r for r = 197, 199 and 200. Note that all three estimates can be 
obtained by the same computation which has complexity 2 19 when estimating 
over 2 14 initial values. The probabilities P c are not completely independent and 
the probability of correctly guessing all three bits together is about 0.463. 

Recovering 8 Bits after 197 Rounds. The prototypical example can be extended 
by using two other sets of differences which are obtained by shifting all differences 
by one position to the left and to the right, respectively. This allows to recover five 
additional bits of the key, namely £ 39 , fcio, & 118 ; &120 and km- The complexities 
of this extended attack are 9-2 34 for the precomputation and 3-2 19 for the attack 


Table 2. Key recovery for reduced Grain-128: P c is the probability of correctly guessing 
key bit k% . The attack complexity is 2 19 for |cr[ = 5 and 2 25 for [tx| = 13. 


Difference set 

h 

r 

7T 

Pc 

0 = {ei, e36, e66, e67, e6s} 

kio 

199 

0.494 

0.801 


fciig 

200 

0.492 

0.682 


fcl2l 

197 

0.486 

0.867 

a = {eo, ei, ei, e34, 635, e36, e37, 

&39 

213 

0.490 

0.591 

e65, e66, e67, e68, 669; 695} 

kj2 

213 

0.488 

0.566 


feng 

206 

0.356 

0.830 


fcl20 

207 

0.486 

0.807 


fcl20 

211 

0.484 

0.592 


fcl22 

213 

0.478 

0.581 
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itself. We recover all eight bits correctly with a probability of 0.123. This can be 
improved up to 0.236 by first determining fcm and k \ 22 and then recovering the 
remaining bits conditioned on the values of /t '121 and km- 

Recovering Bits up to 213 Rounds. If we use the derivative of order thirteen that 
we already used in the distinguishing attack, after 213 rounds we can recover two 
key bits with probability of almost 0.6. The last row of Table El summarizes the 
results. Here, the precomputation was done for 2 12 key pairs and 2 12 initial values 
for each key which gives a precomputation complexity of 2 38 . The complexity of 
the attack itself is 2 25 . 


7 Conclusion 

We presented a first analysis of the KATAN/KTANTAN family as well as the 
best known cryptanalytic results on Grain vl and Grain-128. This was obtained 
by conditional differential cryptanalysis which also applies to other NLFSR- 
based contructions and provides further hints for choosing an appropriate num- 
ber of rounds with regard to the security /efficiency tradeoff in future designs of 
such constructions. 
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Abstract. SOSEMANUK is a software-oriented stream cipher proposed 
by C. Berbain et al for the eSTREAM project and has been selected into 
the final portfolio. It is noticed that most components of SOSEMANUK 
can be calculated byte-oriented. Hence an attacker can observe SOSE- 
MANUK from the view of byte units instead of the original 32-bit word 
units. Based on the above idea, in this work we present a new byte-based 
guess and determine attack on SOSEMANUK, where we view a byte as 
a basic data unit and guess some certain bytes of the internal states 
instead of the whole 32-bit words during the execution of the attack. 
Surprisingly, our attack only needs a few words of known key stream to 
recover all the internal states of SOSEMANUK, and the time complexity 
can be dramatically reduced to 0(2 176 ). Since SOSEMANUK has a key 
with the length varying from 128 to 256 bits, our results show that when 
the length of an encryption key is larger than 176 bits, our guess and 
determine attack is more efficient than an exhaustive key search. 

Keywords: eSTREAM, SOSEMANUK, Guess and Determine Attack. 


1 Introduction 

The European eSTREAM project H) was launched in 2004 to call for stream 
ciphers and was ended in 2008. At first about 34 stream cipher candidates were 
submitted to the eSTREAM project, and after the challenge of three rounds, 
7 of them were selected into the final portfolio. SOSEMANUK proposed by 
C. Berbain et al |2j is one of the above seven algorithms. SOSEMANUK is a 
software-oriented stream cipher and has a key with the length varying from 128 
to 256 bits. The design of SOSEMANUK adopted the ideas of both the stream 
cipher SNOW 2.0 [3| and the block cipher SERPENT |Q] and aimed at improving 
SNOW 2.0 both from the security and from the efficiency points of view. 

The guess and determine attack is a common attack on stream ciphers |5l6i7l8i| . 
Its main idea is that: an attacker first guesses the values of a portion of the in- 
ternal states of the target algorithm, then it takes a little cost to deduce the 

* This work was supported by the National Natural Science Foundation (Grant No. 
60833008 and 60902024). 

M. Abe (Ed.): ASIACRYPT 2010, LNCS 6477, pp. 146- |-157,| 2010. 
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values of all the rest of the internal states of the algorithm by making use of 
the values of the guessed portion of internal states and a few known key stream. 
When the values of all the internal states of the algorithm are recovered, the at- 
tacker tests the correctness of these values by producing a key stream using the 
above recovered values and comparing it with the known key stream. If the key 
streams agree, it shows that the recovered states are correct. If the key streams 
don’t agree, then the attacker repeats the above process until the correct internal 
states are found. As for SOSEMANUK, the designers of SOSEMANUK |2j pre- 
sented a guess and determine attack method, whose time complexity is 0(2 256 ). 
In 2006 H. Ahmadi et al |H| revised the attack and reduced the time complex- 
ity to 0(2 226 ), and this result was further reduced to 0(2 224 ) by Y. Tsunoo et 
ai sm. Recently Lin and Jie m gave a new result that they could recover all 
internal states of SOSEMANUK with time complexity 0(2 192 ). Unfortunately, 
a mistake was made in their work. In step 1 of their attack, f t ~ %, ft-i, ft, ft+i 
and St- 2, St— 1, St, s t + 1 were used to output key words zt~ 2 , zt- 1, z t , Zt+i, and in 
step 14, ft, f t + 1, ft+i, ft +2 and s t , st+i, st+i, s t + 2 were used to output key words 
z t , zt+i, z t +i, z t + 2 - However, according to the description of SOSEMANUK, the 
output key words in the next pad should be z t + 2, zt+ 3, zt+ 4 , Zt+ 5, which should be 
produced by ft+ 2 , ft+ 3 , ft+i, ft +5 and s t+2 , s' t+3 , s t+4 , s t+5 . Therefore the time 
complexity they gave is incorrect. 

It is known that most word-oriented stream ciphers make a trade-off between 
security and efficiency. From the view of a designer, for pursuit of more efficient 
software implementation of the algorithm, some certain operators, for example, 
the exclusive OR, S-boxes, the modulo 2 n addition, the multiplication or the 
division by a primitive element in the finite field F 2 » , where n may be equal to 
8, 16 or 32, are often used. We notice that most of these operations can be done 
based on the smaller units, for example, 16-bit words or bytes. Therefore from 
the view of an attacker, he can observe the algorithm from the viewpoints of 
smaller units instead of the original word units. Based on the above idea, in this 
work we present a byte-based guess and determine attack on SOSEMANUK, 
where we view a byte as a basic data unit and guess some certain bytes of the 
internal states instead of the whole 32-bit words during the execution of the at- 
tack. Surprisingly, our attack only needs a few known key stream to recover all 
the internal states of SOSEMANUK, and the time complexity can be dramat- 
ically reduced to 0(2 176 ). It shows that when the length of an encryption key 
is larger than 176 bits, the guess and determine attack is more efficient than an 
exhaustive key search. What’s more, our results also show that during the design 
of stream cipher algorithms, it is necessary to break the bound between different 
operands. 

The rest of this paper is organized as follows: in section 2 we recall the SOSE- 
MANUK algorithm briefly, and in section 3 we give some basic properties of 
SOSEMANUK. In section 4 we describe all the detail of our attack on SOSE- 
MANUK. In section 5 we give a estimate on the time and data complexity of our 
attack. Section 6 gives a further discussion, and Section 7 concludes the paper. 
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2 Description of SOMEMANUK 

In this section we recall the SOSEMANUK algorithm briefly and all the details 
can be found in J2| . 

SOSEMANUK is a 32-bit word-oriented stream cipher, and logically com- 
posed of three parts: a linear feedback shift register (LFSR), a finite state ma- 
chine (FSM) and a round function Serpent 1, see Figured 



2.1 The LFSR 

The LFSR of SOSEMANUK is defined over the finite field F 2 32 , and contains 
10 of 32-bit registers s-s, 1 < i < 10. The feedback polynomial n(x) of LFSR is 
defined as follows: 

n(x) = ax 10 + oT 1 ^ + x + 1, (1) 

where a is a root of the polynomial 

P(x) =x 4 + /3 23 x 3 + (3 245 x 2 + (3 48 x + f3 239 
over the finite field F 2 s, and 0 is a root of the binary polynomial 
Q(x) = x 8 + x 7 + x 5 + x 3 + 1. 

Let { s t } t>1 be a sequence generated by the LFSR. Then it satisfies 

Si+10 = St+9 © Of 1 St+3 ® “St, Vt > 1. (2) 


2.2 The FSM 

The nonlinear filtering part of SOSEMANUK is a finite state machine (FSM), 
which contains two 32-bit memory units Rl and R2. At time t, the FSM takes 
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the values st+i, Si+s and s t+ g of registers si, sg and sg of the LFSR as inputs, 
and outputs a 32-bit word f t . The execution of the FSM is as follows: 

Bit = B2 t -i ffl mux(lsb(i21 t _i), s t+ i, s t +i 0 s t + s), (3) 

B2 t = Trans(Blt-i), (4) 

ft = (s t+9 H Bl t ) Q B2 t , (5) 

where EH is the modulo 2 32 addition; lsb(:r) is the least significant bit of x; 
mu x(c,x,y) is equal to x if c = 0, or equal to y if c = 1; and the internal 
transition function Trans on 32-bit integers is defined by 

Trans(.z) = (0x54655307 • 2 mod 2 32 ) <gc 7, 

where is the left cyclic shift operator on 32-bit strings. 


2.3 The Round Function Serpentl 

In the block cipher SERPENT a raw SERPENT round consists of, in that order: 

— a subkey addition; 

— S-boxes transformations; 

— a linear transformation. 

Here the function Serpentl is one round of SERPENT without the subkey ad- 
dition and the linear transformation. The S-box used in Serpentl is the S-box 
S 2 of SERPENT and runs in the bit-slice mode. Serpentl takes outputs ft+i of 
the FSM at four successive times as inputs and outputs four 32-bit words yt+i, 
where i = 0, 1,2,3, see Figure |2I 
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2.4 Generation of Key Stream 

Let s t ,st+i,st+2,St+3 and ft- ft+i, ft + 2 , ft+z be the outputs of the LFSR and 
that of the FSM respectively at the successive times starting from time t , and 
zt, Zt+i, Zt+ 2 , Zt +3 be the key words generated by SOSEMANUK at those four 
successive times. Then we have 

{zt+ 3, *t+ 2 ) zt+i, z t ) = Serpentl(/ t+3 , f t+2> ft+i,ft) © (s t +3, s t+ 2 , s t +i,s t ). (6) 

3 Some Properties of SOSEMANUK 

In this section we view a byte as a basic data rmit and give some basic properties 
of SOSEMANUK from the view of byte emits. First we introduce some notations. 

Let x be a 32-bit word. We denote by the i-th byte component of x, 
0 < i < 3, that is, 

x = x ^ || x^ || a;*- 1 ) || x^°\ 

where each is a byte, and || is the concatenation of two bit strings. For 
simplicity we write a^ 1 ) || x^ as a;^ 0 ’ 1 ) and x ^ || a^ 1 ) || x^ as a^ 0 ’ 1 ’ 2 ). 

For any given 32-bit word x, the word x may have the different meanings in 
different contexts as follows: 

1. As an operand of the operator ®. Here a; is a 32-bit string, and ® is the 
bitwise exclusive OR. 

2. As an operand of the integer addition + or the modulo 2 32 addition EH. Here 
x denotes the integer Yffi=o a;b)(2 8 ) 1 . 

3. As an element of the finite field F 2 32 . Here x denotes the element x^a 3 + 
x^a 2 + x^a + a;(°) in F 2 s 2 , where a is defined as in equation JQ). 

Now we consider the SOSEMANUK algorithm from the view of byte emits. First 
we notice that the feedback calculation of the LFSR (see equation (0) can be 
represented in the byte form. 

Lemma 1. Equation 0 can be written in the byte form as follows: 

4+\o = 4& ® 4+3 © ^4% © /3 239 4 3 \ ao 

4+10 = 4+9 ® 4+3 © ^4+3 © P 4S s [ 3] ’ © , 0) 

4+10 = 4% © 4+3 © /? 39 4+ ) 3 © /? 245 4 3) © 4 1} » 0) 

4 3) io = 4+9 © /? 16 4+ ) 3 © /? 23 4 3) © 4 2) - W) 

Proof. By the definition of a, we have, 

a 4 + /3 23 a 3 + (3 245 a 2 + (3 48 a + /3 239 = 0. 

It follows that 

a- 1 = (3 16 a 3 + p 39 a 2 + ffa + /? 64 . 
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Let St = 5Zi=o s t ° l and *t+3 = Si=o s t+ 3 a '- Then we have 

ns, = 4- «( 2 )« 3 -I- 4- s^rv 


= St(/3 23 a 3 + /3 24 

= (/3 23 s (3) +s (2) )q 


1 } )a 2 + (P iS x& -+ 


U) )a + P 23 


and 


= P 1 


s (2) Q 1 , s (l) + s (0) a -l 

4+V + 4+3 + * (0) (/3 le a 3 + d 3 V + /3 6 a + /3 64 ) 
+ ( 4? 3 + P 39 sl%)* + ( 4?3 + ?x™)a + ( 4^3 


,)• 


Combine the above equations and equation 0, and we immediately get the 
desired conclusion. ■ 


Second we observe the update of i?l and the output of the FSM and have the 
following conclusions: 

Lemma 2. Equations 0) and, 0 also hold in the sense of modulo 2 k for all 
1 < k < 32, that is, 

R1 [k] = ffl mux (i sb ( J Rl t _ 1 ), 4^,4^ © 4^ 8 ), 0) 

/f 1 = (4+ 9 ffl Rl l t l ) © R2 [ t ] , 0) 

where x^ denotes the lowest k bits of x, and the operator EB still denotes the 
modulo 2 k addition without confusion. In particular, the cases k = 8, 16 and 24 
are considered in this paper. 

Finally we observe the round function Serpentl and have the following conclu- 
sion: 

Lemma 3. For any 1 < k < 32, if the values of the k-th bit of each s t +i 
(i = 0, 1,2,3J are known, then the values of the k-th bit of each f t +i can be 
calculated by the definition of Serpentl given some known key stream, that is, 

fk = Sf 1 (z' k ®s' k ), (7) 


where 

fk = ft+3,k || ft+2,k || ft+l,k || 
s k = s t+3,fc II St+2,k II St+\,k II St,k, 

Z k = z t+3,k || Zt+2,k || -Zt+l.fc || Zt,k, 

and ft+i,k> $t+i,k and zt+i,k are the k-th bits of ft+i, s t +i and zt+i respectively, 
i = 0,1, 2, 3. Similarly, if the i-th bytes of each st+i are known, then we can 
calculate the i-th bytes of each /t+i, i = 0, 1, 2, 3. 


152 X. Feng et al. 


4 Execution of the Attack 

In this section we always assume that a portion of key stream words { zt } have 
been observed, where t = 1, 2, • • • , N, and N is large enough for the attack to 
work. For convenience, we denote by 

^ 4 8 

the deduction of B from A by equation (*). 

Before the description of the attack, we make the following assumption: 

Assumption 1. The least significant bit of Rli is one, that is, lsb(Mi) = 1. 
The whole description of the attack on SOSEMANUK can be divided into five 
phases as follows. 

Phase 1. We first guess the total 159-bit values of si, s 2 > S 3 , sfp, R2^’ 1,2 ^ 
and the rest 31-bit values of Rl\. 

Step 1.1 We first deduce s^, f?2 2 , s^ and .sq } as follows: 

{ 4°\ , 4 °), 4 0) } M { a (0) , / 2 (0) , /f, /i 0) } , 

{RI?\R2 ( ?\$\^}MrI™, 

Mi M R2 2 , 

{f^,Rlf\R2^}Ms [ « 

Step 1.2 Similar to Step 1.1, we further deduce s^, Rl^\ and s| 2 ^ 
as follows: 

{Mf« 4°>« 4P } M m|°’« 

{s?\ S ?\s¥\sM, s M}M S W. 

Step 1.3 Similar to Step 1.2, we further deduce s^, Rl^\ s^ and 
as follows: 
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{4 1) ,4 3) >4 0) ,4o ) ,4 ) }^4 3) - 

In this phase we have obtained si, s 2 , S 3 , S 4 , ■, s^’ 1,2 \ J?li, Rl^’ 1,2 \ 

iQ[ 0,1,2) and R2 2 . 

Phase 2 . Since we have obtained s^ 3 \ s^\ and s® in phase 1, thus by 
equation 0 . we can calculate f[ 3 \ /| 3 \ /J 3 -* and f^ a \ that is, 

{ sf , sf , sf ,sf } M { jf , /f,/f,/f } . 

Furthermore, by equations 01 and (EH , we have 

/i (3) = ( 4 o + ^!i 3) + ci mod 2 8 ) © R2&\ ( 8 ) 

/f } = (s^ 3) + Rl ia) + c 2 mod 2 8 ) © R2 {a \ (9) 

4^4f©^ 6 s f ©^3 s (3) es ( 2)> (10) 

where ci = 1 if s^q’ 1 ’ 2 ^ + -Rli 0,1 ’ 2 ^ > 2 24 , or ci = 0, otherwise; and c 2 = 1 if 
s ii’ 1,2) + -Rl 2 0,1 ’ 2 ) > 2 24 , or c 2 = 0, otherwise. 

By the assumption lsb(-Rli) = 1, we have _R1 2 = J?2i EB (S3 © 1 S 10 ). It 
follows that 

Rl [a) = R2 ia) + ( a < 3) © s[f) + c 3 mod 2 8 , (11) 

where c 3 = 1 if J? 2 ^ 0,1 ’ 2 ^ + (s^ 0,1,2 ) © s^q’ 1 ’ 2 ^) > 2 24 , or c 3 = 0 , otherwise. 

Combine equations 0,0, dTHll and (ITU , and then we have the equation 
on the variable s^: 

d = fsg> © a) + (,g © s^) + (/} 3 ^ © (s^ + b mod 2 8 )) + c mod 2 8 , ( 12 ) 

where a = © /3 23 sf } © *J 2) , b = ittf } + Cl mod 2 8 , c = c 2 + c 3 and 

d = / 2 (3) © i? 2 2 3) . 

In equation (1T21) . all variables except are known, since s^ occurs 
three times in the above equation, it is easy to verify that equation ( 1 T 2 I) 
has exactly one solution. Denote its solution by s^. When s^ has been 
obtained, we deduce R2^\ s^ and Rl^ by equations 0, (TTOI) and 0 
respectively. 

Up to now we have obtained si, s 2 , s 3 , S 4 , sio, sn, i?li, i22i, i?l 2 and 

R2 2 . 
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Phase 3 . In this phase we further deduce .RI3, R 2 3, -RI4, R 2 4 , Rl 5 , R 2 5 , 
R2 q, S5, s 6, s 12 and S13 as follows: 

{ RI2, R 2 2 , S4, Sn } =§> -RI3, 

-RI2 =!> R23, 

{ f 3 ,Rh,R 2 3 } =^- S12, 

{ S 2 , Sll, Sl2 } S5, 

{ RI3, R23, S5, S12 } =!► -RI4, 

-RI3 == 1 - R 2 4, 

{ / 4 , -RI4, -R 2 4 } =§< S13, 

{ S3, S12, S13 } S 6 , 

{ UI4, i? 2 4 , S 6 , S13 } RI5, 

-RI4 R25, 

R 1 5 M- R2 6 . 

Phase 4 . We guess both s ^ and Sg°\ The following deductions are entirely 
similar to phase 1, and we can recover both s^ 1 ’ 2,3 ^ and Sg 1,2,3 \ 

{ 4 0) , 4 o) ,4 o) ,4 o) } J|. { / 5 (0) , 4 0) , 4 0) , / 8 (0) > , 

{jf\Rlf\R2 ( P}M.sfl 

{4 3) ,4 0) ! 4°3 ) ! 4° ) }^4 1) , 

{f^,Rl^,R2^}Msfl 
{ 4 3) , 4 o) ! 4 o 4 ) ,4° 5 ) } Hi s w 
{ 4 1 ’, 4 11 . 4 1 ’ , 4 1 ’ > =8- {/«,/<*>, z™,/™} , 

{4 0) ,4 3) ,4 0) ,4 1 3 ) ,4 1 4 ) }^4 2) , 

{f^\Rl^\R2^}Msr, 

{ 4 0 ) , 4 3 ) , 4 o ) , 4 1 4 >, 4 1 5 ) }^ 4 2) ) 

{ 4 2) s 4 2) , 4 2) , 4 2) } =§> { ff\ fP y , 

{ /(°, 1, 2); m (° ) i > 2) jjR 2(°d.2 ) 1^404, 2)i 
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{ 4 1} , 4 3) , 4 0) , 4^, } S 4 3) , 

{ffli 0 ’ 1 ’ 2 U2f 1 ’ 2, ,4°' 1 ' 2) lS f 4 ’ 1 ’ 2) } M ri£ ,1,2 \ 

{4 1) 1 4 3) ,4 05 ,4 2 4 > 1 4f}^4 3 l 

Phase 5. Finally we deduce S9 as follows: 


{ S5,S 6 , 

S7,S8> 

M 

{ /5, /6, /7, /8 } 

{/5 ,Rh 

5, -R2 5 } 

M 

J3) 

*14 ) 

{ RI 5 , R%5, S7, S14 } 

a 

iilg 3) , 

{h,RU 

h R^6 } 

j. 

„(3) 

*15 1 

{ Rl6, R2§, t 

*8, Si 5 } 

M 

i?.l 7 , 


RU 

M 

R2 7 , 

{fr,Rh 

',#2 7 } 

M 

sie, 

{ S6, Sis, Sl6 } 

M 

sg- 


Up to now we have recovered all internal states si, S 2 , ■ ■ ■ , sio, -Rli and R2\ of 
the SOSEMANUK algorithm. And then we test the correctness of those values 
by producing a key stream using the above recovered values and comparing it 
with the known key stream. If the key streams agree, it shows that the recovered 
states are correct. If the key streams don’t agree, then we will repeat the above 
process until the correct internal states are found. 

The process of the above attack is demonstrated in Table [D 

5 On Time and Data Complexities of Our Attack 

The execution of the above attack needs to guess a total of 175 bits of the internal 
states, including 159 bits of the internal states at phase 1 and 16 bits at phase 4, 
and then all the rest of the internal states can be deduced under the assumption 
lsb(.Rli) = 1. Since the probability for lsb(-Rli) 1 to hold is thus the time 
complexity of the above attack on SOSEMANUK is 0(2 176 ). In the attack we 
only make use of 8 words of the known key stream, and during the verification 
we need about another 8 words of the known key stream to verify whether the 
guessed internal states are correct or not. Since by shifting the keystream by 4 
words we can test two cases, thus the total data complexity is about 20 words 
of the known key stream. 

6 Further Discussion on the Assumption lsb^lx) = 1 

In the above attack, we make the assumption lsb(i?li) = 1, which will guarantee 
that equation (1T2I1 in phase 2 has exactly one solution. However it should be 
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Table 1 . The process of our attack 



pointed out that this assumption is not necessary for our attack to work. In fact, 
we directly guess the 160-bit values of si, s 2 , S3, s^\ Rl i and R.2^’ 1 ’ 2 ^ in phase 
1. When lsb(-Rli) = 0, we have Afy = A2i EB s 3 in phase 2. It follows that 

R1 ( 2 3) = R,2{ 3) + sf + c 4 mod 2 8 , (HU) 

where c 4 = 1 if i?2^ 0 ’ 1,2 ^ + s^ 0 ’ 1 ’ 2 ^ > 2 24 , or c 4 = 0, otherwise. 

Similar to equation (I I 21) , combine equations 0,0, 11 1 1 111 and sm . and then 
we have the equation on the variable s^: 

d! = fs$ © 0!) + © (4o + & m °d 2 8 )) + d mod 2 8 , JEI) 

where a’ = © /3 23 s (3) 0 V = + ci mod 2 8 , d = s {3) + c 2 + 

C4 mod 2 s and d! = © R2^\ Sin ce s^ occurs two times in equation (11211) . 

it is easy to verify that equation (II 21 II has either no solution, or 2 fc solutions for 
some non-negative integer k. When equation (II 211) has no solution, we will come 
back to phase 1 and repeat guessing new values of those internal states. When 
equation (I I 211) has 2 k solutions for some integer k, we write down all solutions, 
and then for each solution we go on the deductions according to phases 3, 4 and 
5. Finally we obtain 2 k different values of the internal states of SOSEMANUK 
and verify their correctness respectively. 

Now we estimate the time and data complexity of the above method. In phase 
1 we guess total 160-bit values of the internal states instead of 159-bit values. 2 159 
of those values satisfy lsb(-Rli) = 1 and another 2 159 values satisfy lsb(hTi) = 0. 
As for 2 159 values satisfying lsb(Ali) = 1, we have 2 159 possible values of si, s 2 , 
s 3 , S4, sio, sn, Al l , R2\ , Rh and A2 2 after phase 2. As for 2 159 values satisfying 
lsb(Ali) = 0, since equation (11 21 II has the same number of solutions as that of 
the possible values of the variables when all the variables except go through 
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all possible values, thus we have also 2 159 possible values of si, S 2 , S 3 , S 4 , sio, 
sn, -Rli, R2 \ , -RI 2 and R2-2 after phase 2. Therefore we have total 2 160 possible 
values. For each possible values, we go on deducing according to phases 3, 4 and 
5, hence the total time complexity is still 0(2 176 ). But without the assumption, 
the data complexity reduces to 16 words of the known key stream. 

7 Conclusion 

In this paper, we presented a byte-based guess and determine attack on SOSE- 
MANUK, which only needs a few words of key stream to recover all internal 
states of SOSEMANUK with time complexity 0(2 176 ). The results show that 
when the length of an encryption key is larger than 176 bits, the guess and 
determine attack is more efficient than an exhaustive key search. 
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Abstract. AES is the most widely used block cipher today, and its se- 
curity is one of the most important issues in cryptanalysis. After 13 years 
of analysis, related-key attacks were recently found against two of its fla- 
vors (AES-192 and AES-256). However, such a strong type of attack is 
not universally accepted as a valid attack model, and in the more stan- 
dard single-key attack model at most 8 rounds of these two versions can 
be currently attacked. In the case of 8-round AES-192, the only known 
attack (found 10 years ago) is extremely marginal, requiring the eval- 
uation of essentially all the 2 128 possible plaintext /ciphertext pairs in 
order to speed up exhaustive key search by a factor of 16. In this paper 
we introduce three new cryptanalytic techniques, and use them to get 
the first non-marginal attack on 8-round AES-192 (making its time com- 
plexity about a million times faster than exhaustive search, and reducing 
its data complexity to about 1/32, 000 of the full codebook). In addition, 
our new techniques can reduce the best known time complexities for all 
the other combinations of 7-round and 8-round AES-192 and AES-256. 


1 Introduction 

The Rijndael block cipher jS| was developed in the late 1990’s by Joan Daemen 
and Vincent Rijmen, and was selected as the Advanced Encryption Standard 
(AES) in 2001. Over the last ten years it replaced the Data Encryption Standard 
(DES) in most applications, and had become the block cipher of choice for any 
new security application. It has three possible key sizes (128, 192, and 256 bits), 
and in 2003 the US government had publicly announced that AES-128 can be 
used to protect classified data up to the level of “secret”, and that AES-192 and 
AES-256 can be used to protect classified data up to the level of “top secret” . 

Due to its importance and popularity, the security of AES had attracted a 
lot of attention, and is considered one of the hottest areas of research in crypt- 
analysis. A major breakthrough was the recent discovery of related-key attacks 
on the full versions of AES-192 and AES-256 j.3H| which are faster than exhaus- 
tive search, but have impractical complexities. In another line of research |2j, 

* The second author was partially supported by the Koshland center for basic research. 

M. Abe (Ed.): ASIACRYPT 2010, LNCS 6477, pp. 158 |l76,l 2010. 
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related-key attacks requiring practical time complexity of 2 45 were found on 
AES-256 with up to 10 rounds, and related key attacks requiring semipractical 
time complexity of 2 70 were found on AES-256 with 11 rounds. 

The main weakness of AES-192 and AES-256 exploited in these attacks was 
their extremely simple key schedule. In a related-key attack model, this made it 
possible to cancel data differences with corresponding key differences over many 
rounds of AES. This created a very high probability differential characteristic, 
which led to a greatly improved time complexity. However, such attacks make a 
very strong assumption that the adversary can ask the encryption box to modify 
the unknown key in a known way. Some of these attacks even assume that the 
adversary can obtain a large number of related keys, or that he can obtain 
related intermediate subkeys — see j3] for a discussion of these possibilities. 
Consequently, related-key attacks are important considerations during the design 
and certification stage of new ciphers, but are not considered a realistic threat 
in practical security protocols which use the block cipher in a standard way. 

In this paper we consider the classical attack model of a single key and multiple 
known or chosen plaintext/ciphertext pairs. In this model the adversary has to 
deal with the very well designed data path of AES, and cannot directly benefit 
from its weak key schedule. Consequently, there are no known attacks on the full 
cipher on any one of the three flavors of AES, and the best we can do is to attack 
reduced round versions of AES. In the case of AES-256, the largest number of 
rounds that can be attacked is 8. In the case of AES-192 there is one attack 
on 8-round AES-192 which was published in m, it is extremely marginal: It 
requires the evaluation of essentially all the possible plaintext/ciphertext pairs 
under the unknown key, and even then the time required to derive the key is only 
16 times faster than exhaustive search (one can argue that given the complete 
codebook of size 2 128 , there is no need to find the actual key in order to easily 
decrypt any given ciphertext . . . ). In the case of AES-128, there are no known 
attacks on its 8-round version, but there are a few on 7-round variants. 

In order to improve all these known attacks, and especially the marginal attack 
on 8-round AES-192 which no one was able to improve upon in the last ten years, 
we develop three new cryptanalytic techniques. Our starting point is the attack 
on 7-round AES developed by Gilbert and Minier El. which constructs a large 
table of 2 72 entries, where each entry contains a sequence of 256 byte values. This 
idea was extended to 8-round AES by Demirci and Selguk j2J , who constructed 
an even larger table of 2 192 entries (again containing sequences of 256 byte 
values, which are constructed in a slightly modified way). Due to the 2 200 time 
required just to construct this table, this attack is worse than exhaustive search 
for 8-round AES-192, and can only be applied to 8-round AES-256. 

Our first new idea (called multiset tabulation ) is to replace the sequence of 256- 
byte values in each table entry by the multiset of its values. Even though we lose 
some information, we show that it is still possible to use such a table in order to 
discard with very high probability incorrect key guesses. This modification makes 
it possible to reduce the number of table entries (and thus also the time required 
to prepare the table) by a factor of 2 16 . An even bigger saving (by a factor of 
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2 57 ) in the size of the table is obtained by another new technique which we 
call differential enumeration. It uses some truncated differential (which need not 
have particularly high or low probability, as required in standard or impossible 
differential attacks) in order to enumerate the entries of such a table in a much 
more efficient way: Instead of directly enumerating state values, the adversary 
derives them indirectly by enumerating the input and output differential values of 
certain internal S-boxes. By reducing the space complexity in such a major way, 
we can now trade it off with the high time complexity of the Demirci and Selguk 
attack in order to greatly improve it. Finally, we develop a new key bridging 
technique which exploits the weak key schedule of AES by using the following 
surprising observation: In the particular case of 8-round AES-192, it is possible to 
compute one byte of the whitening subkey (used before the first round) directly 
from four bytes of the last subkey (used at the end of the eighth round), despite 
their distance. Since our attack requires guessing these five subkey bytes in the 
first and last rounds, we get an extra savings of 2 8 in our time complexity^ By 
combining these three techniques, we can now break 8-round AES-192 in about 
one millionth of the complexity of exhaustive search. 

Our new results are summarized and compared with previously known single- 
key attacks in Table El As can be seen, our time complexities for 8-round AES 
are considerably better than the best previous results for both AES-192 and 
AES-256. 

This paper is organized as follows: In Section 0 we describe the AES block 
cipher and introduce our notations. In Section [3 we describe the techniques used 
in previous attacks, and analyze their complexity. In Section 0] we introduce our 
new cryptanalytic techniques. We use them in Section 0 to improve the best 
known attacks on 7-round AES, and in Section 0 to improve the best known 
attacks on 8-round AES. Finally, in Section 0 we summarize our results. 

2 A Short Description of AES 

The advanced encryption standard (AES) |0| is an SP-network that supports key 
sizes of 128, 192, and 256 bits. A 128-bit plaintext is treated as a byte matrix of 
size 4x4, where each byte represents a value in GF( 2 8 ). An AES round applies 
four operations to the state matrix: 

— SubBytes (SB) — applying the same 8-bit to 8-bit invertible S-box 16 times 
in parallel on each byte of the state, 

- ShiftRows (SR) — cyclically shifting the i’th row by i bytes to the left, 

— MixColumns (MC) — multiplication of each column by a constant 4x4 ma- 
trix over the field GF( 2 8 ), and 

- AddRoundKey (ARK) — XORing the state with a 128-bit subkey. 

We outline an AES round in Figure Q] 

1 The same idea can be used to improve the time complexity of several other attacks 
such as |1()I14| by the same factor of 2 s . 
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Fig. 1. An AES round 


In the first round, an additional AddRoundKey operation (using a whitening 
subkey) is applied, and in the last round the MixColumns operation is omitted. 
Rounds which include the MixColumns operation are called full rounds. 

The number of rounds depends on the key length: 10 rounds for 128-bit keys, 
12 rounds for 192-bit keys, and 14 rounds for 256-bit keys. The rounds are 
numbered 0, . . . , Nr — 1, where Nr is the number of rounds. For the sake of 
simplicity we shall denote AES with n-bit keys by AES-n, e.g., AES with 128- 
bit keys (and thus with 10 rounds) is denoted by AES-128. We use AES to mean 
all three variants of AES. 

The key schedule of AES takes the user key and transforms it into Nr + 1 
subkeys of 128 bits each. The subkey array is denoted by W[ 0, . . . , 4 • Nr + 3], 
where each word of W[-] consists of 32 bits. Let the length of the key be Nk 
32-bit words, then the first Nk words of W[] are loaded with the user supplied 
key. The remaining words of W[-) are updated according to the following rule: 

— For i = Nk, . . . , 4 • Nr + 3, do 

• If i = 0 mod Nk then W[i\ = W[i - Nk] ® SB(W[i - 1] 8) © 

RCON[i/Nk], 

• else if Nk = 8 and i = 4 mod 8 then W[i] = W[i - 8] 0 SB(W[i - 1]), 

• Otherwise W[i] = W[i - 1] ® W[i - Nk], 

where RCON[ ] is an array of predetermined constants, and denotes rotation 
of the word by 8 bits to the left. 


2.1 The Notations Used in the Paper 

In the sequel we use the following definitions and notations: The state matrix 
at the beginning of round i is denoted by Xj, and its bytes are denoted by 

0. 1. 2. . . . , 15, as described in Figured Similarly, the state matrix after the 
SubBytes and the ShiftRows operations of round i are denoted by X^ SBj and 
W(SR); respectively. 

We denote the subkey of round i by k % , and the first (whitening) key by k- 1 , 

1. e., h = W[ 4 • (t + 1)]||W[4 • (* + 1) + 1]||W[4 • (i + 1) + 2]||W[4 ■ (* + 1) + 3], 
In some cases, we are interested in interchanging the order of the MixColumns 
operation and the subkey addition. As these operations are linear they can be 
interchanged, by first XORing the data with an equivalent subkey and only 
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then applying the MixColumns operation. We denote the equivalent subkey for 
the altered version by Ui, i.e., u-i = MC~ 1 (ki). The bytes of the subkeys are 
numbered by 0, 1, ... , 15, in accordance with the corresponding state bytes. 

We use the following notations for intermediate encryption values: The inter- 
mediate state at the beginning of round i in the encryption of P 3 is denoted by 
X 3 , and its bytes are denoted by X 3 ; , for 0 < l < 15. Similarly, the intermediate 
values after the SubBytes and the ShiftRows operations of round i are denoted 
b y X i{SB),i and X l{SR),v respectively. 

In our attacks we mostly consider the encryption of 5-sets, which are struc- 
tured sets of 256 plaintexts {P°, P 1 , . . . , P 255 } in which one active byte assumes 
each one of the 256 possible values exactly once, and each one of the other 15 
bytes is a (possibly different) constant. A state byte is called balanced if the XOR 
of its 256 values during the encryption of a 5-set is zero. 

In all the observations considering reduced-round versions of AES, the num- 
bering of the rounds starts with round 0. When we analyze the behavior of some 
consecutive inner rounds of AES, we shift the round numbering accordingly, 
depending on the number of rounds we add at the beginning. 

Finally, we measure the time complexity of all the attacks in units which are 
equivalent to a single encryption operation of the relevant reduced round variant 
of AES. We measure the space complexity in emits which are equivalent to the 
storage of a single plaintext (namely, 128 bits). To be completely fair, we count 
all operations carried out during our attacks, and in particular we do not ignore 
the time and space required to prepare the various tables we use. 

3 Previous Work 

The first attack developed against AES was the SQUARE attack, which was 
found by its designers |Sj . The SQUARE attack is based on: 

Observation 1. Consider the encryption of a 5-set through three full AES rounds. 
The set of 256 corresponding ciphertexts is balanced, i.e., the XOR of the 256 values 
in each one of its 16 bytes is zero. 

The observation follows easily from the structure of AES, as demonstrated in 
Figure El This property is the basis of many attacks on reduced round variants 
of AES. The original submission |5j offers a 6-round attack with time complexity 
of 2 72 , which was later improved in []TI| using the partial sums technique to offer 
the best known attack on 6-round AES (with time 2 42 ). 

In 1 1 I j . Gilbert and Minier proposed to refine the information on the inter- 
mediate encryption values of the 5-sets exploited in the SQUARE attack. Their 
attack is based on the following observation: 

Observation 2. Consider the encryption of a 6-set through three full AES rounds. 
For each one of the 16 bytes of the ciphertext, we can define a sequence of 256 val- 
ues for this byte by ordering the plaintexts according to the value of their active 
byte. Then any such sequence is fully determined by just 9 bytes, which are com- 
plex functions of the constants in the 6-set and the key bytes. Consequently, for 
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Fig. 2. The development of a 5-set through 3 rounds of AES, where A stands for an 
active byte, B stands for a balanced byte, and C stands for a constant byte 

any fixed, byte position, there are at most 2 72 possible sequences when we consider 
all the possible choices of keys and 8-sets (out of the (2 8 ) 256 = 2 2048 of the “theo- 
retically possible” 256-byte sequences, and out of the 2 256+15 x 8 = 2 376 sequences 
which could be potentially defined by the choice of 15 constant bytes and 256 key 
bits.) 

This observation was used in EU to mount an attack on 7-round AES-128 with 
time complexity slightly smaller than that of exhaustive key search. Since the 
attack algorithm is a bit complex and not used in our paper, we omit it here. 

In 0, Demirci and Selguk extended the observation of m by another round. 
They showed the following: 

Observation 3. Consider the encryption of a8-set through four fall AES rounds. 
For each of the 16 bytes of the state, the ordered sequence of 256 values of that byte 
in the corresponding ciphertexts is fully determined by just 25 byte parameters. 
Consequently, for any fixed byte position, there are at most 2 200 possible sequences 
when we consider all the possible choices of keys and 8 -sets 0 

This observation was used in [Jj to mount attacks on 7-round and 8-round vari- 
ants of AES-256. The attack on 7-round AES-256 is roughly as follows: 

1. Preprocessing phase: Compute all the 2 192 possible values of the 255-byte 
sequence given in Observation 0 and store them in a hash table. 

2. Online phase: 

(a) Guess the value of four bytes in the whitening key k- 1 and of one byte 
in fc 0 , and for each guess, construct a 5-set from the data. (For example, 
if the active byte of the 5-set is byte 0, then the guessed bytes are bytes 

2 In [2| the authors note that the function f ci ,..., C25 ( x ) can be written as /ci,...,c 2S (a:) = 
Qc\ , . . . ,c 24 (k) ©C 25, and thus one can reduce the number of possible sequences by pick- 
ing some xo, and considering the augmented function /( li f . 24 (x) m f ci ,...,c 25 {x) — 
f c i,...,c 25 (a:o) = 9c 1 ,...,c 24 ,{x) — g cl ,..., C2i (xo). In this case, the number of parameters is 
reduced to 24, the number of “interesting” entries in each sequence is reduced to 255 
(as f'(x o) = 0, independently of the choice of xo and ci, . . . , C24), and the number 
of possible sequences is reduced to 2 192 . 
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0, 5, 10, 15 of k - 1 and byte 0 of ko- Note that byte 0 of ko is used only 
to compute the order of the values in the 5-set). 

(b) Guess four bytes of the equivalent subkey ug and one byte of the equiva- 
lent subkey and partially decrypt the ciphertexts of the 5-set to obtain 
the sequence of 256 intermediate values of one byte of the state X 5 . (For 
example, if the byte to be checked is byte 0, then the subkey bytes the 
adversary should guess are byte 0 of U 5 and bytes 0, 7, 10, 13 of ug). 

(c) Check whether the sequence exists in the hash table. If not, discard the 
key guess. 

The data complexity of the attack is 2 32 chosen plaintexts. The time complexity 
of the online phase is relatively modest at 2 80 , but the space complexity and the 
time complexity in encryption operations required to prepare this large table 
are about 2 200 . These complexities are worse than exhaustive search for both 
AES-192 and AES-128. However, Demirci and Selguk presented a tradeoff, which 
makes it possible to decrease the memory complexity at the expense of increasing 
both the data and the online time complexities. This results in an attack on 7- 
round AES-192 with data complexity of 2 96 chosen plaintexts, and time and 
space complexities of 2 144 . 

The attack in jZj can be extended to 8-round AES-256 by guessing the full 
subkey of the last round. This increases the time complexity of the online phase 
from 2 80 to 2 208 encryptions, and makes it impossible to rebalance the parame- 
ters in order to attack 8-round AES-1920. 


4 Our New Techniques 

In this section we present three new techniques. First, we present a new variant 
of Observation 0 which is stronger and simpler to analyze. Then we show how 
a combination of the 5-set analysis with a 4-round differential allows to reduce 
the memory complexity of the attack by a factor of 2 57 . Finally, we show that 
for AES-192 and AES-256, the time complexity of the 8-round attack can be 
reduced using key schedule considerations by a factor of 2 32 and 2 8 , respectively. 


4.1 The Multiset Variant of the Demirci-Selguk Observation 

We start with our new variant of Observation [3 

Observation 4. Consider the encryption of a 5-set {P°, P 1 , . . . , P 255 } through 
four full AES rounds. 

3 We note that in a more recent paper, Demirci et al. jS| claim that by optimizing 
their technique they can also attack 7-round AES-128 faster than exhaustive search. 
However, we note that the analysis of |H| is flawed, and the correct running time of 
the attack is about 2 32 times more than claimed, and in particular more than the 
complexity of exhaustive key search for the 128-bit key version. 


Improved Single-Key Attacks on 8-Round AES-192 and AES-256 165 


For each 0 < l < 15, the (un-ordered) multiset 

^Xl l ®Xl v Xl l ®X° AV ...,Xlf is fully determined by the follow- 

ing byte parameters: 

— The full 16-byte state X%. 

— Four bytes of the state X°. (For example, if the active byte of the 8-set is 
byte 0 then these are bytes 0,1, 2, 3). 

— Four bytes of the subkey • (For example, if l = 0 then these are bytes 
0,5,10,15;. 

Moreover, this multiset can assume only 2 184 values (out of the (^g) » 2 507 - 6 
“theoretically possible” values). 

Our variant has several advantages over Observation E2 

— The parameters upon which the sequence depends are specified explicitly. 
This is crucial for the major reduction in the number of parameters presented 
in the next section. 

— The smaller number of possible configurations in our variant (2 184 instead of 
2 192 ) allows to reduce the memory requirements of the attack and the time 
complexity of the preprocessing phase by a factor of 2 8 . 

— Since we consider a multiset instead of an ordered sequence, the adversary 
does not need to know the order of the values in the 5-set at the beginning 
of the four rounds. This allows to skip the guess of one byte in the subkey 
fc 0 (reducing the time complexity of the online phase by 2 8 ). 

Proof . The proof emphasizes the meet-in-the-middle nature of the observation. 

We start with the “bottom side” of the four rounds. First, we observe 
that if {X ® , X \ , . . . , XI 55 } are known, then the knowledge of bytes 0, 5, 10, 15 
of k '2 yields the knowledge of the entire first column before the AddRound- 
Key of round 3 in all the 256 encryptions. Since the AddRoundKey pre- 
serves differences, this yields the desired values of the vector of differences 
© Xh,Xh © X°„ . . . , Xlf © . 

Secondly, to know the values {Xff, X ) , . . . , Xf 55 }, it is sufficient to know 
the value X) which is given as part of the parameters, and the differences 
(X° © X°, X 2 © X 2 , . . . , Xf 5 © X 9 ) ■ Since the ShiftRows, the MixColumns and 
the AddRoundKey operations are linear, it is sufficient to know the differences 

(^l(SB) © X 1(SB) > X 1 (SB) © ^l(SB)i ' ' ' > X 1 (SB) © -^1 (SB)) • 

Now we turn to the “top side” of the four rounds. In round 0, the differences 
( X o(sb) © x o (SB) > x o(sb) © X o (SB) * • • • > x o(sb) © X 0 (sb)) are known these 
are exactly the 256 possible differences in byte 0 (the rest of the bytes are equal). 
Note that the order of the differences is not known, but this does not disturb 
the adversary since in our attack she is interested only in the multiset and not 

4 Unlike sets, elements can occur multiple times, and the multiset retains this multiplicity 
along with the values. 
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in the sequence. Since the ShiftRows, the MixColumns, and the AddRound- 
Key operations are linear, the differences (Af ® A) 3 , A 4 © Af , . A 255 © A?) 
are also known. By the structure of the 5-set, these differences are active in 
bytes 0,1, 2, 3 and passive in the rest of the bytes. Since bytes 0,1, 2, 3 of Af 
are given as part of the parameters, bytes 0, 1, 2, 3 of the values {Af, . . . , A 255 } 
are thus also known, and so are bytes 0, 1 , 2 , 3 of Xh SB y . . . , WwJ b n}. 

Since the differences X^ SB ^ © X^ SB ^ in all the bytes except for 0,1, 2, 3 
are zero for all j = 1,2,..., 255, this implies that the full vector of differ- 
ences ( X ^ SB ^ © X^ SB j , Af^gj © X^g ^ , . . . , A^J^ © X^ SB ^j is known, as 
required above. 

Finally, since the multiset depends on 24 byte parameters, it can assume at 
most 2 192 possible values. However, in this count, each 5-set is represented by 
2 5 * * 8 multisets, according to the 256 possible choices of P°. We can then reduce 
the number of parameters by one by choosing P° such that A-f 0 = 0 (this is 
possible since byte 0 in state Ai is active). This reduces the number of possible 
multisets to 2 184 , concluding the proof. □ 

4.2 The Differential Enumeration Technique 

Observation 0| shows that the possible multisets depend on 24 explicitly stated 
parameters. In order to reduce the size of the precomputed table, we would 
like to choose the 5-set such that several of these parameters will equal to pre- 
determined constants. Of course, the key bytes are not known to the adversary 
and thus cannot be “replaced” by such constants. At first glance, it seems that 
the bytes in the intermediate states Af and Af also cannot be made equal to 
pre-determined constants by choosing the plaintexts appropriately, since they are 
separated from the plaintexts by operations involving an unknown key. However, 
we show that by using an expected-probability differential (i.e., a differential 
whose probability is not assumed to be especially high or especially low) for 
4-round AES, the plaintext P° can be chosen such that the full 128-bit state 
A 9 will assume one of at most 2 64 particular values (which can be computed in 
advance and are independent of the choice of key) instead of 2 128 possible values. 

Consider a truncated differential for four full AES rounds, in which both the 
input and the output differences are non-zero in a single byte (e.g., byte 0 both 
in the input and in the output). The probability of this differential is expected 
to be about 2 -12O 0 and thus it is expected that 2 120 randomly chosen pairs with 
difference only in byte 0 would contain one pair that satisfies the differential. 
Moreover, since each 5-set contains 2 15 pairs with difference in a single byte, a 
collection of 2 105 randomly chosen 5-sets in which byte 0 is active is expected to 
contain a right pair with respect to the differential. For right pairs, we show the 
following: 

5 The probability of 2 -120 is based on the assumption that 4-round AES behaves like 

a random permutation with respect to this differential, and thus forcing 120 bits to 

be equal has this probability. If this is not the case, it is expected that other more 

powerful attacks on AES may exist. 
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Fig. 3. The 4-Round Differential Characteristic Used in Our Attack 

Observation 5. Let (P 1 , P' 2 ) be a right pair with respect to the differential (i.e., 
the difference P 1 ® P 2 is non- zero only in byte 0, and the difference between the 
corresponding ciphertexts, C 1 ® C 2 , is also non- zero only in byte 0). Then the 
intermediate state X\ assumes one of at most 2 64 prescribed values. 

Proof 

The proof is a meet-in-the-middle argument. We start with the “top side” of 
the four rounds. Due to the structure of AES, the difference between the states 
X^sb) ail( l -^i(sb) the intermediate values after SubBytes of round 1) is 
non-zero only in bytes 0,1, 2, 3. Thus, this difference can assume at most 2 32 
distinct values. Since the ShiftRows, the MixColumns, and the AddRoundKey 
operations are linear, this implies that the difference X\ ® X| can assume at 
most 2 32 different values. 

On the other hand, from the “bottom side” we see that the difference X| ® 
Xf is non-zero only in bytes 0, 5, 10, 15. Since the ShiftRows, the MixColumns, 
and the AddRoundKey operations are linear, this implies that the difference 
X\ , S b) ® ^ 2 (sb) can assume at most 2 32 different values. 

It is well-known that given the input and output differences of the SubBytes 
operation, there is one possibility on average for the actual pair of input /output 
values @ Moreover, this pair of actual values does not depend on the key, and 
can be easily found by precomputing the full difference distribution table of the 
SubBytes operation. Since for the right pair we consider, there are at most 2 32 • 
2 32 = 2 64 possible pairs of input/output differences of the SubBytes operation in 
round 2, there are at most 2 64 possible values of the full state X\ , as asserted. □ 

It follows from the observation that if we choose the 5-set such that P° is a 
member of a right pair with respect to this expected-probability differential, we 
are assured that the state Xl? can assume at most 2 64 possible values. Moreover, 
since these values do not depend on the key and can be computed in advance, 
this allows to construct the “table of possible multisets” only for these 2 64 values, 
which reduces the size of the table and the time complexity of the preprocessing 
phase by a huge factor of 2 57 as shown below. 

Three additional remarks are due: 

— Firstly, in order to exploit the expected-probability differential we have 
to consider as many as 2 113 chosen plain texts, which increases the data 

6 Actually, given the input /output differences, with probability of about 1/2 there are 
no such pairs, with probability of about 1/2 there are two pairs, and with probability 
of about 1/256 there are four pairs. 



168 O. Dunkelman, N. Keller, and A. Shamir 


complexity of the attack. However, the resultant tradeoff is advantageous 
since the data complexity was smaller than the other complexities. 

- Secondly, in order to detect the right pair with respect to the differential, the 
adversary has to guess several key bytes in the rounds before and after the 
differential. However, it turns out that if the differential is chosen such that 
the non-zero differences are in the bytes which are active in the 5-set, these 
key bytes coincide with the key bytes that should be guessed in the original 
Demirci-Selguk attack. Hence, this does not increase the time complexity of 
the online phase of the attack. 

— Finally, the total number of possible multisets after the combination with 
the differential is not 2 184 • 2 -64 = 2 120 , but rather 2 127 . The reason for this 
increase is that in the original attack, the number of multisets is reduced by 
a factor of 2 8 since each 5-set corresponds to 2 8 different multisets, according 
to the possible choices of P° (see proof of Observation^}. In the new version 
of the attack, we are forced to choose P° to be one of the members of the 
right pair w.r.t. the differential, and thus each 5-set corresponds to only 
two “special” multisets^ Therefore, the memory complexity and the time 
complexity of the preprocessing phase are reduced by a factor of 2 57 rather 
than 2 64 , compared to Observation 0| 


4.3 The Key Bridging Technique 

In this section we show that the time complexity of the online phase in the 
attacks on 8-round AES-192 and AES-256 can be reduced significantly by using 
key schedule considerations. While most of these considerations are simple, one 
of them is a novel observation that allows the adversary to deduce some subkey 
bytes from some other subkey bytes, even though they are separated by many 
key mixing steps. 

We start with the attack on 8-round AES-192. Recall that in the online phase 
of this attack, the adversary has to guess four bytes of the subkey k- 1 , one 
byte of the equivalent subkey 115 , four bytes of the equivalent subkey ue, and 
the full ky. The exact number of bytes that should be guessed depends on the 
choice of the active byte of the 5-set and of the byte in which the multiset is 
constructed. It turns out that if the byte to be examined at the end of round 4 
is one of the bytes 1, 6, 11, 12, then the number of guessed key bytes is reduced 
by three. Indeed, by the key schedule of AES-192, the knowledge of kr yields the 

7 We note that while the table of possible multisets is constructed according to one 
member of the right pair, it may occur that in the actual attack, the other member 
is chosen as P°, and thus the multiset does not match the table (even for the right 
key guess) . A simple solution is to repeat the attack for both members of the right 
pair. A more advanced solution, which allows to save the extra factor two in the time 
complexity of the attack, is to store the multisets only up to XOR with a constant 
value. This can be achieved by a small modification to the preprocessing phase, 
consisting of XORing each multiset with the 256 possible byte values and storing in 
the table the resulting multiset which is the least in the lexicographic order amongst 
the 256 possibilities. 
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knowledge of the first two columns of ke (and thus also of uq) and of the last 
column of k$ (and thus also of ufj. 

If the byte to be checked at the end of round 4 is byte 1, then the bytes to 
guess are byte 13 of u$, bytes 3,6,9, 12 of ug, and the full subkey kj. However, 
once k-j is guessed, bytes 3,6 of uq and byte 13 of its can be computed from 
the key schedule, thus reducing the time complexity of the online phase of the 
attack by a factor of 2 24 . 

The complexity can be further reduced by another factor of 2 8 using the 
following novel observation: 

Observation 6. By the key schedule of AES- 192, knowledge of columns 0,1,3 
of the subkey k-j allows to deduce column 3 of the whitening key k- 1 (which is 
actually Column 3 of the master key). 

The main novelty in this observation is that it exploits the weak key schedule of 
AES-192 in order to provide a surprisingly long “bridge” between two subkeys 
which are separated by 8 key mixing steps (applied in the reverse direction). In 
particular, it makes it possible to compute one byte in the whitening subkey fc_ 1 
directly from four bytes in the last subkey /i70 which saves a factor of 2 8 in the 
time complexity of any attack which has to guess these five subkey bytes. Since 
guessing key material in the first and last round is a very common in attack, this 
observation can be widely applicable (e.g., it can reduce the time complexity of 
the related-key attack on 8-round AES-192 presented in [QJ from 2 180 to 2 172 ). 

Proof. For the detailed proof and reasoning, we refer the reader to the full ver- 
sion of the paper. Given W[32], IE[33], W[35], it is possible to compute IE [27] = 
IE[32] ® IE [33] and IE[23] = IE[33] ® IE[35]. From these two values, it is possible 
to compute IE[3] = IE [27] ® SB{W[23] 8) ® RCON[A\. □ 

Since in the 8-round attack, one of the subkey bytes guessed by the adversary 
is included in the column IE[3] (regardless of the active byte in the 5-set), this 
reduces the time complexity by another factor of 2 8 . In total, the key schedule 
considerations reduce the time complexity of the online phase of the attack on 
AES-192 by a factor of 2 32 . 

In the attack on 8-round AES-256, key schedule considerations can help the 
adversary only a little. By the key schedule, the subkey Ug is independent of the 
subkey /ty, and thus the only subkey byte the adversary can retrieve is the single 
byte of Ug . As the novel observation does not hold for AES-256, key schedule 
arguments can reduce the time complexity only by a factor of 2 8 . 

5 Our New Attack on 7-Round AES 

In this section we present our new attack on 7-round AES. For the sake of sim- 
plicity, we present here only the basic variant of the attack, which is used later 

8 The four bytes of kr are 0 and 4 (for obtaining byte 0 of 1E[27]) and bytes 7 and 15 
(for obtaining byte 3 of IE [23]). 
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as part of the 8-round attack. In Appendix E] we show how to improve the attack 
using alteration of the expected-probability differential and time/memory/data 
tradeoffs, such that the resulting time complexity will be lower than the com- 
plexity of all previously known attacks on 7-round AES (in all its three flavors). 

5.1 The Basic Attack 

In this attack, the byte with non-zero difference in the expected-probability 
differential is byte 0, both in the input and in the output differences. The active 
byte of the 5-set and the byte that is checked in the state X 5 are taken to be 
byte 0 as well. The attack works similarly if these bytes are replaced by any 
other pair of bytes, as long as the correspondence between the differential and 
the 5-set is preserved. 

The algorithm of the basic attack is as follows: 

1. Preprocessing phase: Compute the 2 127 possible values of the “special” 
multisets defined by Observations El and El and store them in a hash table. 

2. Online phase: 

(a) Phase A Detecting the right pair 

i. Ask for the encryption of 2 81 structures of 2 32 plaintexts, such that 
in each structure, bytes 0, 5, 10, 15 assume the 2 32 possible values 
and the rest of the bytes are constant. 

ii. For each structure, store the ciphertexts in a hash table and look for 
pairs in with no difference in bytes 1, 2, 3, 4, 5, 6, 8, 9, 11, 12, 14, 150 
Since this is a 96-bit filtering, about 2 48 pairs remain. 

iii. For each remaining pair, guess bytes 0,5,10,15 of fc_i and check 
whether the difference in the state X\ is non-zero only in byte 0. For 
each key guess, about 2 24 pairs are expected to remain. 

iv. For each remaining pair, guess bytes 0,7,10,13 of uq and check 
whether the difference in the state X 5 is non-zero only in byte 0. 
For each key guess, only one pair is expected to remain. 

(b) Phase B — Checking the 5-set 

i. For each guess of the eight subkey bytes made in Phase A and for 
the corresponding pair, take one of the members of the pair, denote 
it by P°, and find its 5-set using the knowledge of bytes 0, 5, 10, 15 
of k- 1 - (This is done by taking X^, XORing it with the 255 possible 
values which are non-zero only in byte 0, and decrypting the 255 
obtained values through round 0 using the known subkey bytes. The 
resulting plaintexts are the other members of the 5-set.) 

ii. Guess byte 0 of 115 , and using the knowledge of bytes 0, 7, 10, 13 of tie, 
partially decrypt the ciphertexts of the 5-set to obtain the multiset 
[^5,0 © -^5,0! -^5,0 ® -^5,0) ■ ' • J -^ifo ® -^5,0] • 

9 In the description of our attack we assume that the last round does not contain 
the MixColumns operation. If it does contain it, one can swap the order of the last 
round’s MixColumns and AddRoundKey and apply the attack with the respective 
changes. 
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iii. Check whether the multiset exists in the hash table. If not, discard 
the key guess (possibly using auxiliary techniques such as repetition 
of the attack with a different output byte). 

(c) Exhaustively search the rest of the key: For each remaining key 
guess, find the remaining key bytes by exhaustive search. 

It is clear that the time complexity of the online phase of the attack is domi- 
nated by encrypting 2 113 plaintexts, and hence, the data and time complexity 
of this part of the attack is 2 113 . The memory complexity is 2 129 128-bit blocks, 
since each multiset contains about 512 bits of information and its representa- 
tion can be easily compressed into 512 bits of space. The time complexity of 
the preprocessing phase of the attack is approximately 2 127 • 2 s • 2 -3 = 2 132 
encryptions. 

In Appendix E] we show that the attack can be improved by altering the 
expected-probability differential, using several differentials in parallel, and ap- 
plying time/memory/data tradeoffs. The resulting complexities lie on the follow- 
ing tradeoff curve: Data complexity - 2 103+n chosen plaintexts, Time complexity 
- 2 103+71 encryptions, Memory requirement - 2 129- " AES blocks, for any n > 0. 
Choosing n = 13, all the three complexities are equalized at 2 116 , which is lower 
than the time complexities of all known attacks on 7-round AES, in all its three 
flavors (see Table G}. 

6 Extension to Attacks on 8-Round AES-192 and 
AES-256 

In this section we present the first non-marginal attack on 8-round AES-192. 
The data complexity of the attack is 2 113 chosen plaintexts, the memory re- 
quirement is 2 129 128-bit blocks, and the time complexity is 2 172 encryptions. A 
variant of the attack can be applied to 8-round AES-256. The data and mem- 
ory requirements remain unchanged, but the time complexity is increased to 
2 196 encryptions. We present the attack on AES-192; the attack on AES-256 is 
similar. 

In the attack presented below, we choose the non-zero byte in the output 
difference of the expected-probability differential to be byte 1. Accordingly, the 
byte to be checked in the 5-set is also chosen as byte 1. This change is required 
in order to apply the key schedule considerations presented in Section 14.31 The 
only non-zero byte in the input difference of the differential and the only active 
byte of the 5-set can be still chosen arbitrarily, as long as they are the same. 
Without lose of generality, in the sequel we assume that this byte is byte 0. 

A trivial generalization of the 7-round attack presented in Section 0 to eight 
rounds is to guess the full Ay, and for each guess, decrypt all the ciphertexts 
through the last round and apply the 7-round attack. In our attack this approach 
leads to an extremely high time complexity. Specifically, the detection of the right 
pair would require 2 113 • 2 128 = 2 241 encryptions. Instead, we use the early abort 
technique that was described in m We present here the technique only briefly, 
and refer the reader to m for the full details. 
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Table 1. A Comparison of Previous Results with Our New Attacks 


Rounds Key 


Complexity 


Attack Type & Source 

Size 

Data (CP) 

Memory 

Time 

MinMax* 


7 128 

2 112.2 

2 112.2 

2 117 2 MA 

2 117 ' 2 

Impossible Differential [12] 


2 103+n 

2 129-n 

2 103-n 

2 116 

Our Results (Sect. 5) 

192 

19 • 2 32 

19 • 2 32 

2 155 

2 155 

SQUARE [10] 


2 32 

2 80 

2 140 

2 140 

Collision [11] 


2 46+n 

2 192-n 

2 94+" 

2 i43 

Meet in the Middle [7] 


2 113.8 

2 113.8 

2 118 ' 8 MA 

2 118.8 

Impossible Differential [12] 


2 103+« 

2 129-n 

2 103+n 

2 116 

Our Results (Sect 5) 

256 

21 • 2 32 

21 • 2 32 

2 i72 

2 172 

SQUARE [10] 


2 32 

2 S0 

2 140 

2 140 

Collision [11] 


2 34+n 

2 204-n 

2 82+n 

2 143 

Meet in the Middle [7] 


2 113.8 

2 113.8 

2 118 ' 8 MA 

2 118.8 

Impossible Differential [12] 


2 103+n 

2 129-n 

2 103+n 

2 116 

Our Results (Sect 5) 

8 192 

2 127.997 

2 128 

2 188 

2 188 

SQUARE [10] 


2 113+n 

2 129-n 

2 172+n 

2 172 

Our Results (Sect. 6) 

256 

2 34+n 

2206—" 

2 205.6+n 

2 205.8 

Meet in the Middle [7]^ 


2 34+max(n— 24,0 

) 2 208-n 

2 206+n MA 

2 208 

Meet in the Middle [8]* 


2 89.1 

2 97 

2 229 ' 7 MA 

2 229.7 

Impossible Differential [12] 


2 127.997 

2 128 

2 204 

2 204 

SQUARE [10] 


2 113+n 

2 129-n 

2 196+n 

2 196 

Our Results (Sect. 6) 


* — the lowest time complexity which exceeds the other complexities via the tradeoff 
option (if available). 

t — [7] estimates the cost of partial encryption as 2 -8 of an encryption. As there are 
at least six columns which take part in the partial encryption/decryption, we believe that 
2“ 4 is a more accurate estimate. 

* — The complexity is higher than claimed in [8] due to a flaw in the analysis. 

Time complexity measures the time in encryption units unless mentioned otherwise. 

Memory complexity is measured in AES blocks. 

CP — Chosen plaintext, MA — Memory Accesses. 

In the following, the adversary examines each of the 2 113 • 2 31 = 2 144 pairs 
separately, and her goal is to detect the subkey candidates for which that pair 
satisfies the expected-probability differential. 

Note that if (P 1 , P 2 ) is a right pair, then the corresponding intermediate states 
(Xg( SR ), X 2 ( SR )) have non-zero difference only in bytes 3, 6, 9, 12. Hence, in each 
column of X 6 (sr) there are only 2 8 possible differences. Since the MixColumns 
and AddRoundKey operations are linear, this implies that in each column of 
X-j there are only 2 8 possible differences, and thus only 2 32 • 2 s = 2 40 possible 
pairs of actual values. In the technique presented in m, the adversary considers 
these 2 40 pairs in advance, encrypts them through round 7, and stores the actual 
values before the last AddRoundKey operation in a hash table, sorted by the 
output difference. In the online phase of the attack, for each examined pair, the 
adversary considers each shifted column (e.g., bytes 0,7,10,13) independently, 
and accesses the hash table in the row corresponding to the ciphertext difference. 
It is expected that 2 40 • 2 -32 = 2 8 values appear in each row. Since the table 
gives the actual values before the AddRoundKey operation, and the ciphertexts 
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are the values after that operation, each of the pairs in the table suggests one 
value for the 32-bit subkey corresponding to that shifted column. 

Therefore, for each examined pair, and for each shifted column, the adversary 
obtains a list of 2 8 candidates for the 32-bit subkey corresponding to that column. 
In a basic variant of the attack, the adversary aggregates these suggestions to 2 32 
suggestions for the full kr, and for each suggestion, she decrypts the ciphertext 
pair through round 7. Then she uses a similar precomputed table for round 6 to 
get a list of 2 s possible values of bytes 3,6,9, 12 of ue- For each such value, the 
adversary checks whether the relations between bytes 3 , 6 of ug and the subkey 
k 7 described in Section 14.31 hold. If not, the subkey guess is discarded. Since 
this is a 16-bit filtering, the adversary is left with 2 24 candidates for the full k-j 
and bytes 3,6,9, 12 of uq. Finally, using a precomputed table also in round 0, 
the adversary obtains a list of 2 8 possible values of bytes 0, 5, 10, 15 of k-\. For 
each such value, the adversary checks whether the relation between byte 15 of 
k - 1 and the subkey kj described in Section El Folds. If not, the subkey guess is 
discarded. Since this is an 8-bit filtering, the adversary is left with 2 24 candidates 
for the full &7, bytes 3, 6, 9, 12 of ue, and bytes 0, 5, 10, 15 of k-\. For each of these 
candidates, (P 1 , P' 2 ) is a right pair w.r.t. the expected-probability differential, 
and the second-phase of the attack can be applied. 

The time complexity of this procedure is 2 40 simple operations for each ex- 
amined pair, or 2 144 • 2 40 • 2 -8 = 2 176 encryptions in total. 

The time complexity can be slightly reduced by using a more sophisticated 
precomputed table in order to check the consistency between bytes 3,6 of uq 
and the subkey kj. The table takes bytes 3,6 of MC~ 1 (Xq) in both pairs, along 
with bytes 2, 3, 5, 6 of U 7 , and returns the consistent values for bytes 3,6 of ue, 
if there are any. The precomputation is done by trying all possible candidates 
for the pair of bytes for MC~ 1 (X 6 ) along with the corresponding bytes of u%, 
to see if the decrypted values satisfy the linear relation on the differences before 
the SubBytes operation of round 5. If this is the case, the entry corresponding 
to the M C~ 1 (Xq) values and all subkeys of U 7 which satisfy the key relation is 
stored with the respective uq bytes. We note that for each key and each pair, 
there is probability of 2 -8 that the condition is satisfied, and thus, only 2 56 of 
the entries in the table are nonempty. 

At the second part of the online phase of the attack, performed for each of 
the 2 144 pairs (P 1 , P 2 ) and each of the 2 24 subkeys corresponding to the pair, 
the adversary constructs a (5-set and checks whether the corresponding multiset 
appears in the table. Note that while in the 7-round attack this phase requires 
guessing an additional subkey byte (which is byte 13 of U5), in this attack that 
subkey byte can be derived from the subkey p. The time complexity of the 
second part is 2 168 • 2 8 • 2 -4 = 2 172 encryptions. 

Therefore, the overall memory requirement of the attack is 2 129 128-bit blocks 
(as in the basic version of the 7-round attack), the data complexity is 2 113 chosen 
plaintexts, and the time complexity is 2 172 encryptions. These complexities im- 
prove significantly over the only previously known attack on AES-192, which is a 
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SQUARE attack jH3| requiring almost the entire codebook and time complexity 
of 2 188 encryptions. 

7 Summary 

In this paper we introduced three new cryptanalytic techniques which can be 
used to improve the best known complexities of all the known attacks on 7 and 

8 round versions of AES, as detailed in Table [U In particular, we describe the 
first real attack on 8-round AES-192 which does not use the full codebook in 
order to marginally improve the time complexity of exhaustive search. However, 
all our attacks have impractical complexities, and thus they do not endanger the 
security of any fielded system. 
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A Improvements of the Attack on 7-Round AES 

A.l Altering the Expected-Probability Differential 

Our first improvement reduces the data and time complexities of the attack by 
a factor of 2 8 without affecting the memory requirements. 

We observe that the time complexity of most components of the attack is 
significantly lower than the time required to encrypt the plaintexts. Therefore, a 
tradeoff that would decrease the data complexity, even at the price of increasing 
the time complexity of the other parts of the attack, may reduce its overall 
complexity. 

Such tradeoff is achieved by slightly modifying the expected-probability differ- 
ential used in the attack. Instead of requiring the input difference to be non-zero 
only in byte 0, we can allow the difference to be non-zero also in one of the bytes 
5, 10, 15. These bytes are chosen such that the number of possible differences in 
the state X 2 is not increased, and thus the memory complexity is preserved. 

This change reduces the data complexity of the attack to 2 105 , since it allows 
the adversary to use structures of size 2 16 that contain 2 31 pairs with the input 
difference of the differential. On the other hand, the change requires to guess 
four additional bytes of fc_ 1 in order to detect the right pair (if the additional 
byte is byte 5, then the additional guessed bytes are 3,4,9, 14). As a result, the 
number of pairs remaining after the first filtering step of the attack is increased 
to 2 72 (instead of 2 48 ). For each such pair, there are 2 24 possible values of 12 
subkey bytes (8 bytes of fc_ 1 and 4 bytes of uq) for which that pair satisfies the 
expected-probability differential. As in the 8-round attack, these values can be 
found with time complexity of 2 24 table look-ups for each pair, using the early 
abort technique. Thus, the time complexity of Phase A of the modified attack 
is 2 96 table look-ups. 

In Phase B, we observe that since the value of bytes 3,4,9, 14 of k-± is irrel- 
evant to the examination of the (5-set, the phase has to be performed only 2 16 
times for each of the 2 72 pairs (instead of 2 24 times). Thus, its time complexity 
is 2 72 • 2 16 • 2 8 • 2 8 • 2 -3 = 2 101 encryptions. Therefore, the overall time complexity 
of the attack is still dominated by the encryption of the plaintexts, and thus 
both the data and the time complexity of the attack are reduced to 2 105 . 


A. 2 Using Several Differentials in Parallel 

Our second improvement further reduces the data and time complexities by a 
factor of 5 without affecting the memory requirements. 
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We observe that the data complexity can be reduced by using several differen- 
tials in parallel. Since there is no specialty in the choice of the active byte at the 
input and the output of the original differential, there are 256 possible differen- 
tials that can be used in parallel. In the basic 7-round attack this improvement 
leads to a data/memory tradeoff: The attack requires the “active” bytes of the 
J-set to correspond to the non-zero difference bytes of the differential, and alter- 
ing the active bytes of the 5-set requires preparing a different precomputed table 
for each choice of the bytes. As a result, the data complexity can be reduced 
by factor of up to 256, but the memory requirement is increased by the same 
factor. Since the memory complexity is the dominant one in the 7-round attack, 
this tradeoff is not profitable. 

However, in the modified attack the data complexity can be reduced by a 
small factor without affecting the memory complexity. We observe that since 
the additional “active” byte in the expected-probability differential is not used 
in the analysis of the 5-set, it can be chosen without affecting the memory 
complexity. There are six possible ways to choose this byte (bytes 5, 10, 15 in the 
input and bytes 1,2,3 in the output), and five of them can be used in parallel 
with the same set of chosen plaintexts 0 This reduces the data complexity of 
the attack by a factor of 5 without affecting the memory complexity. Since the 
time complexity is dominated by encrypting the plaintexts, it is also reduced by 
a factor of 5. Therefore, the data and time complexities of the modified attack 
are smaller than 2 103 . In the sequel, we assume for the sake of simplicity that 
these complexities are equal to 2 103 . 


A. 3 Time/Memory/Data Tradeoffs 

We conclude with a fine timing of the complexities using a simple tradeoff be- 
tween data, time, and memory as proposed in jjj. In the preprocessing phase, 
we precompute the table only for some of the values, and then for each key 
guess, we perform the attack for several 5-sets in order to compensate for the 
missing part of the table. For each n > 0, this tradeoff decreases the memory 
complexity and the time complexity of the preprocessing phase by a factor of 2", 
and increases the data complexity and the online time complexity by the same 
factor 2". The resulting complexities lie on the following tradeoff curve: Data 
complexity - 2 103+ " chosen plaintexts, Time complexity - 2 103+ " encryptions, 
Memory requirement - 2 129- " AES blocks, for any n > 0. Choosing n = 13, 
all the three complexities are equalized at 2 116 , which is lower than the time 
complexities of all known attacks on 7-round AES, in all its three flavors. 


10 In order to do this, the adversary considers structures of size 2 96 plaintexts each, 
in which bytes 1, 6, 11, 12 are constant and the other bytes take all the 2 96 possible 
values. This allows to use bytes 5 and 10 as the additional active byte in the input 
of the differential. 
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Abstract. We introduce and formally define polynomial commitment 
schemes, and provide two efficient constructions. A polynomial com- 
mitment scheme allows a committer to commit to a polynomial with a 
short string that can be used by a verifier to confirm claimed evaluations 
of the committed polynomial. Although the homomorphic commitment 
schemes in the literature can be used to achieve this goal, the sizes of 
their commitments are linear in the degree of the committed polyno- 
mial. On the other hand, polynomial commitments in our schemes are 
of constant size (single elements). The overhead of opening a commit- 
ment is also constant; even opening multiple evaluations requires only 
a constant amount of communication overhead. Therefore, our schemes 
are useful tools to reduce the communication cost in cryptographic pro- 
tocols. On that front, we apply our polynomial commitment schemes to 
four problems in cryptography: verifiable secret sharing, zero-knowledge 
sets, credentials and content extraction signatures. 

Keywords: Polynomial Commitments, Verifiable Secret Sharing, Zero- 
Knowledge Sets, Credentials. 

1 Introduction 

Commitment schemes are fundamental components of many cryptographic pro- 
tocols. A commitment scheme allows a committer to publish a value, called the 
commitment, which binds her to a message ( binding ) without revealing it (hid- 
ing). Later, she may open the commitment and reveal the committed message to 
a verifier, who can check that the message is consistent with the commitment. 

We review three well-known ways a committer can commit to a message. Let 
g and h be two random generators of a group G of prime order p. The committer 
can commit to a message m Gr 7L v simply as C^(m) = g rn . This scheme is 
unconditionally binding, and computationally hiding under the assumption that 
the discrete logarithm (DL) problem is hard in G. The second scheme, known as 
a Pedersen commitment [31], is of the form r) = g m h r , where r Gr Z p . 

Pedersen commitments are unconditionally hiding, and computationally binding 

* An extended version of this paper is available [24] . This research was completed at 
the University of Waterloo. 
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© International Association for Cryptologic Research 2010 


178 


A. Kate, G.M. Zaverucha, and I. Goldberg 


under the DL assumption. Third, the committer may publish H(m) or H(m\\r) 
for any one-way function H . In practice a collision-resistant hash function is 
often used. A survey by Damgard [16] covers commitment schemes in detail. 

Now consider committing to a polynomial (j>(x ) Gr Z p [x ] , a problem mo- 
tivated by verifiable secret sharing. Suppose <j>(x) has degree t and coefficients 
(j) o, • • • , 4>f We could commit to the string ((j>o\<f>i\ • • • |^t)> or to some other unam- 
biguous string representation of cj>(x ). Based on the commitment function used, 
this option may have a constant size commitment which uniquely determines 
<j)(x). However, it limits the options for opening the commitment; opening must 
reveal the entire polynomial. This is not always suitable for cryptographic appli- 
cations, most notably secret sharing, that require evaluations of the polynomial 
(i.e., 4>{i) for i £ Z p ) be revealed to different parties or at different points in the 
protocol without revealing the entire polynomial. One solution is to commit to 
the coefficients, e.g., C = (g^°, ■ . ■ ,g^ t ), which allows one to easily confirm that 
an opening <j)(i) for index i is consistent with C. However, this has the drawback 
that the size of the commitment is now t + 1 elements of G. 

Our Contributions. The main contribution of this paper is an efficient scheme 
to commit to polynomials <j>(x) £ Z p [x] over a bilinear pairing group, called 
PolyCommit DL , with the following features. The size of the commitment is con- 
stant, a single group element. The committer can efficiently open the commit- 
ment to any correct evaluation 4>{i) along with an element called the witness, 
which allows a verifier to confirm that (j)(i) is indeed the evaluation at i of the 
polynomial <j)(x ). The construction is based on an algebraic property of polyno- 
mials <f>{x) £ Z p [x\ that (x—i) perfectly divides the polynomial 4>(x)—(j)(i) for any 
i £ Z p . The hiding property of the scheme is based on the DL assumption. The 
binding property of the main scheme is proven under the SDH assumption [6]. 
Using a technique similar to Pedersen commitments, we also define a stronger 
commitment scheme PolyCommit Ped , which achieves unconditional hiding and 
computational binding under the SDH assumption. 

When a set of evaluations {< p(i ) : i £ S'} is opened at the same time, what 
we term batch opening, the overhead still remains a single witness element. Se- 
curity of batch opening assumes that the bilinear version of the SDH (BSDH) 
problem [21] is hard. Further, our schemes are homomorphic and easily random- 
izable. As in other work on reducing communication costs (e.g., [8]) the global 
system parameters are somewhat large ( 0(t ) in our case). Reducing communi- 
cation complexity (i.e., the number of bits transferred ) is our goal, and to this 
end we apply the PolyCommit schemes to the following four applications. 

First we apply the PolyCommit schemes to the Feldman verifiable secret shar- 
ing (VSS) protocol [18]. The new VSS protocol requires a broadcast with size 
0(1) as compared to 0(n) required in the best known protocols in the literature 
(where n is the number of participants) [18,31]. 

Second, we define and use the PolyCommit schemes to construct a relaxed 
type of zero-knowledge set (ZKS) [27]. A ZKS is a commitment to a set S, such 
that the committer may prove that i £ S, or i £ S without revealing additional 
information about S, not even [S']. We define nearly zero-knowledge sets as ZKS 
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that do not attempt to hide the size of the committed set. This is sufficient 
for most applications of zero-knowledge sets, and our construction has constant 
size proofs of (non) membership as compared to the best known constructions of 
ZKS that require non-constant communication [12, 25]. We apply the same relax- 
ation to elementary zero-knowledge databases (ZK-EDB), and achieve constant 
communication there as well. 

In the next application we leverage the efficiency of batch opening, by using 
the PolyCommit schemes in an efficient general construction of a content ex- 
traction signature (CES) scheme [35]. A CES scheme allows a signature holder 
to extract signatures for subsections of the signed message. The general con- 
struction, when instantiated with our commitment scheme and a general secure 
signature scheme, is as efficient as the best known CES scheme, which relies on 
specific properties of the RSA signature scheme. 

In the special case when the CES scheme is used to authenticate a list of 
attributes, the result is a digital credential with an efficient selective show op- 
eration. A selective show allows the credential holder to reveal only a subset of 
the attributes, with proof that the revealed attributes are signed. More precisely, 
the communication cost of revealing k attributes in a credential with t attributes 
is O(k), while known credential systems must communicate 0(t ) bits. We also 
show how to efficiently prove knowledge of committed values, allowing predicates 
on attributes to be proven in zero-knowledge (also with complexity O(k)). 

Outline. In the rest of this section, we compare our contributions with related 
work (work related to each application is included in the respective subsection) . 
In §2, we cover some preliminary material and describe our cryptographic as- 
sumptions. §3 defines polynomial commitments and presents our constructions. 
§4 is devoted to applications while §5 presents some open problems. Due to space 
constraints, all security proofs are included in the extended version [24]. 

Related Work. Similar to our scheme, a Merkle hash tree [26] allows many 
values to be committed to with a single element. Here, the leaves of a binary 
tree are the messages. Each non- leaf node has the value H(L\\R) where L and R 
are its children, and H is a collision-resistant hash function. One can open the 
commitment to an individual message by revealing the message, and a path up 
the tree to the root. The opening has size O(logn) as compared to 0(1) in our 
scheme, where n is the total number of (leaf) elements. 

Chase et al. [13] introduce mercurial commitments to construct ZKS, which 
eventually led to the commitment schemes for committing to a vector of mes- 
sages [12,25]. Catalano et al. [12], and Libert and Yung [25] construct vector 
commitment schemes under the name trapdoor t-mercurial commitments. The 
security of both of these commitment schemes is based on SDH-like assumptions 
and their system parameters have size 0(t), as in our scheme. In [12], all mes- 
sages must be revealed when opening, while in [25], the committer may open 
a commitment to a single message. However, in [25], it is not possible to have 
arbitrary indices for committed messages since each of the t committed messages 
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is associated with a value in the system parameters g al for j 6 [1, t]. Our scheme 
have no such restriction on the domain for the indices, offering greater flexibility. 

Another related primitive is an accumulator [3] , which aggregates a large set 
of input elements into a single element and can provide a witness as evidence that 
an element is included in the accumulator. Further, it is possible to use a witness 
to prove (in zero-knowledge) that the element is included in the accumulator. 
Camenisch and Lysyanskaya [10] extend the concept to dynamic accumulators, 
which support efficient updates. Au et al. [1] observe that a paring-based accu- 
mulator by Nguyen [29] is a bounded accumulator, i.e., only a fixed number of 
elements can be accumulated. They then go on to use bounded accumulators 
to construct a compact e-cash scheme [2]. However, the accumulated elements 
in this scheme are not ordered, which makes it inappropriate for accumulating 
polynomials. While our PolyCommit schemes provide the same features as non- 
dynamic accumulators, they have additional features (hiding and batch opening) 
and are more general since we can commit to a polynomial instead of a set. 


2 Preliminaries 

In what follows, all adversaries are probabilistic polynomial time (PPT) algo- 
rithms with respect to a security parameter k expect if stated otherwise. Further, 
they are static and they have to choose their nodes before protocol instances 
start. A function e(-) : N — > R + is called negligible if for all c > 0 there exists a 
k 0 such that e(k) < 1 /¥' for all k > ko. In the rest of the paper, e(-) will always 
denote a negligible function. We use the notation e:GxG^ G t to denote a 
symmetric (type 1) bilinear pairing in groups of prime order p > 2 2 A The choice 
of type 1 pairings was made to simplify presentation, however, our constructions 
can easily be modified to work with pairings of types 2 and 3 as well. For details 
of bilinear pairings, see the extended version of the paper. 

We use the discrete logarithm (DL) assumption [26, Chap. 3], and the t-strong 
Diffie-Hellman (t-SDH) assumption [6] to prove the security of the PolyCommit DL 
and PolyCom mit Ped schemes. Security of two additional properties of the schemes 
require a generalization of the t-Diffie-Hellman inversion (f-DHI) assumption [28, 
5], and the bilinear version of t-SDH, the t-BSDH assumption [21]. 

Definition 1. Discrete logarithm (DL) Assumption. Given a generator 
g of G*, where G* = G or Gt, and a G# Z*, for every adversary Adl, 
Pr [A D L(g,g a ) =a] = e(n). 

Mitsunari, Sakai and Kasahara [28] introduced the weak Diffie-Hellman as- 
sumption, which was renamed the t-DHI assumption by Boneh and Boyen [5] as 
this assumption is stronger than the Diffie-Hellman assumption, especially for 
large values of f. See Cheon [14] for a security analysis. 

The t-DHI problem is, on input (g,g a , ■ ■ ■ ,g a } € G t+1 to output </*/“, or 
equivalently (see [7]), g a . In this paper, we use a generalization of the t-DHI 
assumption, where A has to output a pair (4>(x) , g^ l ' a ' 1 ) G Z p [;e] x G such that 
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2 K > deg(0) > t. We call this assumption the t-polynomial Diffie-Hellman (t- 
polyDH) assumption. This assumption was implicitly made by [1, 2] to support 
their claim that the accumulator of [29] is bounded. 1 

Definition 2. t-polynomial Diffie-Hellman (t-polyDH) Assumption. Let 

a £r Z*. Given as input a (t + l)-tuple {g,g a , ■ . ■ ,g a ) £ G* +1 , for every adver- 
sary A t _ po i yDH , the probability Pr[A t _ po i yDH (g,g a , ■ ■ • ,5 a ‘) = .#(*), = 
c(k) for any freely chosen </)(x) £ Z p [x] such that 2 K > deg (<f>) > t. 

Boneh and Boyen [6] defined the f-SDH assumption that is related to but stronger 
than the f-DHI assumption and has exponentially many non-trivially different 
solutions, all of which are acceptable. 

Definition 3. f-Strong Diffie-Hellman (f-SDH) Assumption. Let a £r 

Z*. Given as input a (t+ l)-tuple (g,g a , . . . ,g a ) £ G t+1 , for every adversary 
At- SDH > tfie Probability Pr [A t _sj)jj{g,g a , ■ . • ,5 a< ) = {c,g^£=)] = e(/c) for any 
value of c £ Z p \{— a}. 

Security of the batch opening extension of our commitment schemes requires 
the bilinear version of the f-SDH assumption, the t-BSDH assumption [21]. 

Definition 4. t-Bilinear Strong Diffie-Hellman (f-BSDH) Assumption. 

Let a £r Z*. Given as input a (t+1) -tuple (g, g a , . . . , g a ) £ G t+1 , for every ad- 
versary A t _ B g DH , the probability Pr[A t _ B s DH (g, g a g 01 *) = (c,e(g,g)^}} = 
c(k) for any value of c £ Z p \{— a}. 

A similar assumption was also made in [22], but with a different solution: 
(e,-e(g, /t} 1 /C° f + c )), where h£RG is an additional system parameter. 

3 Polynomial Commitments 

In this section we provide a formal definition of a polynomial commitment 
scheme, followed by two constructions. In the first construction the commit- 
ments are computationally hiding, while in the second they are unconditionally 
hiding. We also discuss some useful features of our constructions. 


3.1 Definition 

A polynomial commitment scheme consists of six algorithms: Setup, Commit, 
Open, VerifyPoly, CreateWitness, and VerifyEval. 

1 Note that we bound deg (0) by 2 K as evaluations can be found for polynomials with 
higher degrees in PPT using number theoretic techniques ( e.g ., for <f>( x) = * p_1 , 
gHa) _ g £ or an y a ^ 2*)_ i n practice, deg(</>) 2 K . 
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Setup(l K , f) generates an appropriate algebraic structure Q and a commitment 
public-private key pair (PK,SK) to commit to a polynomial of degree < t. 
For simplicity, we add Q to the public key PK. Setup is run by a trusted or 
distributed authority. Note that SK is not required in the rest of the scheme. 
Commit(PK, <j>{x)) outputs a commitment C to a polynomial <p(x) for the public 
key PK, and some associated decommitment information d. (In some con- 
structions, d is null.) 

Open(PK, C, (p(x). d) outputs the polynomial <p(x) used while creating the com- 
mitment, with decommitment information d. 

VerifyPoly(PK, C, <p(x),d) verifies that C is a commitment to created with 
decommitment information d. If so it outputs 1, otherwise it outputs 0. 
CreateWitness(PK, i, d) outputs (i, where Wi is a witness for the 

evaluation <p(i) of <p(x) at the index i and d is the decommitment information. 
Verify Evalf PK. C, i, (p(i).w l ) verifies that <p(i) is indeed the evaluation at the 
index i of the polynomial committed in C. If so it outputs 1, otherwise it 
outputs 0. 

Note that it is possible to commit to a list of messages (mi, . . . , m t +i) by 
associating each to a unique key (index) k ±, . . . , k t + 1 in Z p , and interpolating to 
find <j)(x) £ Z p [x], such that deg(0) < t and = mj. 

In terms of security, a malicious committer should not be able to convinc- 
ingly present two different values as <f)(i) with respect to C. Further, until more 
than deg(0) points are revealed, the polynomial should remain hidden. Next, we 
formally define the security and correctness of a polynomial commitment. 

Definition 5. (Setup, Commit, Open, VerifyPoly, CreateWitness, and VerifyEval) 

is a secure polynomial commitment scheme if it satisfies the following properties. 

Correctness. Let PK Setup(l K ) and C <— Commit(PK,(j)( x)). For a commit- 
ment C output by Commit(PK, (f(x)), and all 4>{x) £ Z p [x\, 

— the output of Open(PK, C, (f>(x)) is successfully verified by VerifyPoly(PK, C, 
(f>(x)), and, 

- any (i,cj>(i),Wi) output by CreateWitness{PK,(j){x),i) is successfully ver- 
ified by VerifyEval(PK, C,i,(j>(i),Wi). 

Polynomial Binding. For all adversaries A: 

( PK <— Setups), ( C , (<Kx),0»» - A{PK) A 
Pr VerifyPoly(PK, C, 4>{x)) = 1 A = e(/c). 

\ Verify Poly( PK, C,4>'{x)) = 1 A</>(x) + f>'(x) ) 

Evaluation Binding. For all adversaries A: 

( PK - Setup(l K ), (C,(i,4(i),Wi),{i,<l>(iyM))^A(PK) A 
Pr VerifyEval(PK, C, i, w,) = 1 A = e(/t). 

V VerifyEval(PK, C, i, w() = 1 A rj>(i) + 4>{i)' ) 

Hiding. Given ( PK,C ) and {{ij,&(ij),w 0i ) : j £ [1, deg(0)]} for a polynomial 
(f(x) £r Z p [x\ such that VerifyEval(PK,C,ij,(l)(ij),w^ i _) = 1 for each j, 
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— no adversary A can determine <j>(i) with non-negligible probability for 
any unqueried index i (computational hiding) or 

— no computationally unbounded adversary A has any information about 
<f>(i) for any unqueried index i (unconditional hiding). 

3.2 Construction: PolyCommit DL 

We now provide an efficient construction of a polynomial commitment scheme. 
PolyCommit DL is based on an algebraic property of polynomials (p(x) g Z p [x]: 
(x — i ) perfectly divides the polynomial <J)(x) — <p{i) for i g Z p . In the literature, 
Herzberg et al. [23] have used this technique in their share recovery scheme. 

Setupf 1 f ' ,t) computes two groups G, and G t of prime order p (providing K-bit 
security) such that there exists a symmetric bilinear pairing e:GxG-t 
G t and for which the t-SDH assumption holds. We denote the generated 
bilinear pairing group as Q = (e, G,G t ). Choose a generator g e R G. Let 
a £ r Z* be SK, generated by a (possibly distributed) trusted authority. 
Setup also generates a (t + l)-tuple (g,g a , . . . ,g a ) g G t+1 and outputs 
PK = (Q,g,g a , . . . ,g a ). SK is not required in the rest of the construction. 
Commit(PK, <p(x)) computes the commitment C = g r ^ a: > g G for polynomial 
<p(x) g Z P [X\ of degree t or less. For <j)(x) = it outputs C = 

]-[deg(<?i)(^a 3 )(;ij ag comm itment to <j)(x). 

Open(PK,C, <j>(x)) outputs the committed polynomial <j>(x). 

VerifyPoly(PK,C, <j>(x)) verifies that C = g& a ). If C = \ {g ,,j ^ for <f>(x) = 
^deg(<p) ^ x j ^ ie algorithm outputs 1, else it outputs 0. Note that this only 
works when deg(^) < t. 

CreateWitness(PK, <f>(x), i) computes ipi (x) = and outputs (i, <f>(i),Wi), 

where the witness Wi = gvd/*) j s computed in a manner similar to C, above. 
Verify Evalf PK. C, i, up) verifies that <J>(i) is the evaluation at the index i of 
the polynomial committed to by C. If e(C,g) = e{wi,g a /g l )e{g,g) <t>( ' l \ the 
algorithm outputs 1, else it outputs 0. 

VerifyEval is correct because 

e(wi, g a / g l )e(g , g)^ = e(g^ i( ' a \ g < ' a ~^)e(g, g)^ = e(g, g)^ i( - ol ^ a ~^ + ^ 

= e(g,g) <l> ^ = e(C,g) as <j>{x) = ifi(x)(x — i) + cj>(i) 

Theorem 1. PolyCommit DL is a secure polynomial commitment scheme (as de- 
fined in Definition 5) provided the DL and t-SDH assumptions hold in Q. 

A proof is provided in the extended version. The proof of the binding property 
uses the t-SDH assumption, while the proof of the hiding property uses the DL 
assumption. 



A. Kate, G.M. Zaverucha, and I. Goldberg 


3.3 Construction: PolyCommit Ped 

PolyCommit Ped is also based on the same algebraic property of <j>(x) £ Z p [x\: 
(x — i) perfectly divides the polynomial </>( x) — <f)(i) for i £ Z p \ however, it uses 
an additional random polynomial <p(x) to achieve unconditional hiding. 

The PolyCommit DL scheme is homomorphic in nature. Given PolyCommit DL 
commitments C r j >1 and Cp 2 associated with polynomials <j>i(x) and (j) ^(x) re- 
spectively, one can compute the commitment C $ for <p(x) = <pi(x) + <j> 2 (x) as 
C<f, = CfaCfo. Further, given two witness-tuples (i,0i(«),w^ li ) and (i,</> 2 (t),«t,j 2i ) 
at index i associated with polynomials 4>\{x) and 4>i{x) respectively, the corre- 
sponding tuple for polynomial <j)( x) can be given as (i,<j)i(i) + <j> 2 {p)i w <t > uWfoi)- 
The PolyCommit Ped construction uses the homomorphic property to combine 
two commitments (one to fi(x), one to 4>(x)), although each commitment uses a 
different generator. Next, we define our PolyCommit Ped construction. 

Setup) 1 K , f) computes two groups G and G t of prime order p (providing K-bit 
security) such that there exists a symmetric bilinear pairing e:GxG-» Gt 
and for which the f-SDH assumption holds. We denote the generated bilinear 
pairing group as Q = (e, G, G t ). Choose two generators g, h £ R G. Let a £r 
Z* be SK, generated by a (possibly distributed) trusted authority. Setup also 
generates a (2t + 2)-tuple (g, g a , . . . , g a ,h,h a , ... ,h a ) £ G 2t+2 and outputs 
PK = ( G,g , g a , ■ ■ ■ ,g a ,h, h a , . . . , h a }. Similar to PolyCommit DL , SK is not 
required by the other algorithms of the commitment scheme. 

Commit(PK, <j>{x)) chooses <p{x) £ R Z p [x\ of degree t and computes the com- 
mitment C = g^l h^ a ^ £ G for the polynomial <j)( x) £ Z p [X] of degree 
t or less. For 4>{x) = Y^o^ and i it outputs 

C = ng?V> n as the commitment to <f>(x). 

Open(PK ,C,(j)(x),$(x)) outputs the committed polynomials (f{x) and 4>{x). 
VerifyPoly(PK,C, <j)(x), (j>(x)) verifies that C = g^ 01 ' 1 h^ a \ If C = n 

n<leg(9)(^,P)0 :) . £ or _ ^deg(0) an( j _ ^eg(<£) fijX j , it Outputs 
1, else it outputs 0. This only works when both deg(</>) and deg(c6) < t. 
CreateWitness(PK, (j)(x),(f>(x),i) calculates ipi(x) = and ^( x ) = 

^(1-t )^ ) and outputs ( i , Wi). Here, the witness Wi = gbda) 

Verify EvalfPK.C, i, fi(i), wf) verifies that cp{i) is the evaluation at the index 
* of the polynomial committed to by C. If e(C,g) = e(wi,g a / g l )e{g^h (t, ^\g), 
the algorithm outputs 1, else it outputs 0. 

In the extended version we show PolyCom mit Ped is correct and prove the 
following security theorem. 

Theorem 2. PolyCommit Ped is a secure polynomial commitment scheme (as de- 
fined, in Definition 5) provided the t-SDH assumption holds in Q. 

The proof of the binding property is based on the t-SDH assumption, while the 
hiding property is unconditional. 
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3.4 Features 

We next discuss some important features of PolyCommit DL and PolyCommit Ped . 

Homomorphism. In §3.3, we describe that the PolyCommit DL scheme is (ad- 
ditive) homomorphic in nature. In the full version we show that PolyCommitp ed 
is also homomorphic. 

Unconditional Hiding for PolyCommit DL . When t' < deg(0) evaluations 
have been revealed, PolyCommit DL unconditionally hides any unrevealed evalu- 
ation, since the t' + 1 evaluations (a, (j>(a)), {i\, <f>{i \ )), . . . , (i t >, <p{it')) are insuf- 
ficient to interpolate a polynomial of degree > t' . Note that the evaluation pair 
( a,<f)(a )) is available in an exponentiated form (g a ,g r ‘ f>< ' a> ). 

Indistinguishability of Commitments. When a polynomial commitment 
scheme is randomized, an unbounded adversary cannot distinguish commitments 
to chosen sets of key-value pairs. When committing to a set of key-value pairs 
((fci, mi), . . . , (kt+i , m t+ i)), if indistinguishable PolyCommit DL commitments are 
required, it is sufficient to set one m* to a random value. On the other hand, the 
PolyCommit Ped scheme is inherently randomized and can be used directly. 

Trapdoor Commitment. The constructions are also trapdoor commitment 
schemes, where SK = a is the trapdoor. Refer to the extended version for details. 

Batch Opening. In the case when multiple evaluations in a PolyCommit DL 
commitment must be opened, the opening may be batched to reduce the com- 
putation and the communication of both the committer and the verifier; i.e., 
opening multiple evaluations at the same time is cheaper than opening each of 
those evaluations individually using CreateWitness and VerifyEval. Let B c Z p , 
|B| < t be a set of indices to be opened, for a commitment C = gB a ) cre _ 
ated using PolyCommit DL . The witness for the values <p{i), for all i £ B, is 
computed as wb = g^ B ^ for the polynomial iPb(x) = j where r{x) 
is the remainder of the polynomial division (p(x') /{]\ t( z B {x — i)): : i.e., (f){x) = 
M*) 01 ieB( x ~ *)) + r ( x ) an d for i e B, <f){i) = r(i). We define two algo- 
rithms for batch opening. The algorithm CreateWitnessBatch(PK, B) out- 
puts ( B,r(x),WB } and the algorithm VerifyEvalBatch(PK, C, B,r(x),WB) out- 
puts 1 if e(C,g ) = e^ntgsh* - *), w B )e(g,g r ^) holds, degr(a;) = |R|, and r(i) = 
cj)(i) for all i G B. 

In terms of security, since commitments are formed in the same way as the 
Commit algorithm of PolyCommit DL and CreateWitnessBatch reveals no more 
information than running the CreateWitness algorithm of PolyCommit DL for all 
batch elements individually, the hiding property (Theorem 1) still holds. For 
binding, an adversary should not be able to open a batch B containing an index 
i, in a manner that conflicts with the value Mi) output in an individual opening 
of index i. Formally, we say that batch opening is binding if the following holds: 

/PK *- Setup (l K ,t), ( C , ( B,w B ,r(x )>, {i € B,w i: 0(*)» <- -4(PK) :\ 

Pr VerifyEvalBatch(PK, C, B, wg,r(x)) = 1 A = c(k). 

\ VerifyEval(PK, C, i, m, <t>{i)) = 1 A <t>{i) ± r(i) J 
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Theorem 3. The construction of CreateWitnessBatch, VerifyEvalBatch in § 3. 4 
is binding provided the t-BSDH assumption holds in G. 

This theorem is proven in the full version. The batch construction can be mod- 
ified for PolyCommit Ped due to homomorphic nature of PolyCommit DL . In the 
full version we also compare the overhead of various commitment schemes, when 
Alice commits to t values, and then must reveal k of them. Overhead excludes 
the communication cost of sending the committed values. Notably, the commu- 
nication overhead of PolyCommit DL is constant when batch opening is used. 

Strong Correctness. VSS schemes will require an additional property of the 
PolyCommit scheme: it should not be possible to commit to a polynomial of 
degree greater than t. This is called the strong correctness property. 

To define strong correctness for the PolyCommit schemes is not easy, e.g., 
there are many polynomials <f>' of degree greater than t such that <P(a) = z GrZ p 
and so g z is trivially a PolyCom mit DL commitment to some polynomial of degree 
t' such that 2 K > t! > t. To avoid this triviality, we require that an adversary 
A must convince a challenger B that he knows <f> with the following game. A 
creates a commitment to a claimed polynomial <j>' of degree t' . B challenges A 
with t' + 1 indices I C Z p . A wins if he is able to produce {{i,<t>(i),Wi))} i€l 
accepted by VerifyEval and that the interpolation (in exponents) of any t' + 1 
witnesses generates a degree t — 1 polynomial. Similarly for PolyCommit Ped . Refer 
to the extended version of the paper for proof of the following theorem. 

Theorem 4. PolyCommit DL and PolyCommit Ped have the strong correctness prop- 
erty if the t-polyDH assumption holds in Q. 

Practicality and Efficiency Improvements. In absence of a single trusted 
party, computing Setup can be distributed. Here, SK = a is computed in a 
distributed form (i.e., shared by multiple parties forming a distributed authority) 
using the concept of distributed key generation [31]. PK is computed using a 
distributed multiplication protocol [20]. As we do not require SK during our 
protocols and as anybody can verify the correctness of PK using pairings, it is 
possible to consider PK as a global reusable set, shared in many systems. 

Further, the exponentiations required when committing and creating wit- 
nesses can be trivially parallelized. Also, since C = g^ (a ) i s computed as a prod- 
uct of powers (sometimes called a multi- exponentiation), we suggest using fast 
exponentiation techniques [32] instead of a na'ive implementation. It is also pos- 
sible to precompute e(C, g ) and e(g, g) for use during verification. 

4 Applications 


In this section, we describe applications of our commitment schemes to verifiable 
secret sharing (§4.1), zero-knowledge sets and elementary databases (§4.2), and 
selective disclosure of signed data and credentials (§4.3). 
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4.1 Verifiable Secret Sharing (VSS) 

For integers n and t such that n > t > 0, an (n, t)-secret sharing scheme [34, 4] is 
a method used by a dealer Pd to share a secret s among a set of n participants (the 
sharing Sh phase) in such a way that in the reconstruction Rec phase any subset 
of t + 1 or more honest participants can compute the secret s, but subsets of size 
t or fewer cannot. Furthermore, in secret sharing, nodes may need a procedure to 
verify the correctness of the dealt values in order to prevent malicious behaviour 
by the dealer. To solve this problem, Chor et al. [15] introduced verifiability in 
secret sharing, which led to the concept of verifiable secret sharing (VSS). 

VSS schemes have two security requirements: secrecy and correctness. 

Secrecy (VSS-S). A t-limited adversary who compromises t nodes cannot com- 
pute s during the Sh phase. 

Correctness (VSS-C). The reconstructed value should be equal to the shared 
secret s or every honest node concludes that the dealer is malicious by out- 
putting _L. 

In the computational complexity setting, any malicious behaviour by Pd is caught 
by the honest nodes in the Sh phase itself and the VSS-C property simplifies to 
the following: the reconstructed value should be equal to the shared secret s. 

Many VSS applications require that broadcasts from any t + 1 honest nodes 
or any 2f+l nodes is sufficient to reconstruct s. Therefore, along with VSS-S and 
VSS-C, we mandate the correctness property that we refer as the strong correct- 
ness property. Further, some VSS schemes achieve a stronger secrecy guarantee. 

Strong Correctness (VSS-SC). The same unique value s is reconstructed 
regardless of the subset of nodes (of size greater than 2f) chosen by the 
adversary in the Rec algorithm. 

Strong Secrecy (VSS-SS). The adversary who compromises t nodes have no 
more information about s except what is implied by the public parameters. 

Feldman [18] developed the first efficient VSS protocol, which forms the 
basis of all VSS schemes defined in the literature. In the literature, the dis- 
crete logarithm commitment or Pedersen commitment is used in the Feldman 
VSS achieve the binding (correctness) and the hiding (secrecy) properties. Both 
of these commitment schemes trivially satisfy the strong correctness (VSS-SC) 
property of VSS by the fact that the size of a commitment to a polynomial 
4>(x) € Z p [x] is equal to deg(</>) + 1, which is 0(n ) (since for optimal resiliency, 
deg(^) = t = Lnr-J). However, the commitment to a polynomial has to be 
broadcast to all nodes, which results in a linear-size broadcast for Feldman VSS 
and their variants and a linear complexity gap between the message and the bit 
complexities. Our goal is to close this gap using any of the PolyCommit schemes. 
Next, we apply PolyCommit DL to existing polynomial-based VSS schemes and 
reduce the broadcast message size of VSS by a linear factor, making it equal to 
the message complexity. Although PolyCom mit DL can be used in any univariate 
polynomial-based scheme, we choose the Feldman VSS for ease of exposition. 
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Sh Phase 

1. To share a secret seZJ, the dealer Pd chooses a random degree t polynomial 
<f>(x) — Y?j=o e Z p [x] such that </>(0) = <j> 0 = s. It then broadcasts 
C = Commit(PK, <f>(x)). 

2. For £ £ [l,n], Pd computes a share se = 4>(£), a witness we = 

CreateWitness(PK, cf>(x),£) and sends (£, cf>(£),we) to node Pe over a secure and 
authenticated channel. 

3. After receiving ( i,cj>(i),Wi ) from Pd, node Pi runs VerifyEval(PK, C, i, <f>(i), Wi). 
If the verification fails, Pi broadcasts an accusation message against Pd- 

4. If more than t nodes accuse Pd, then it is clearly faulty and is disqualified. If 
not, for each accusing party Pe, Pd broadcasts the corresponding share and 
witness (£, (f>(£),we) such that VerifyEval holds. 

5. If any of the revealed shares fails VerifyEval, Pd is disqualified and the protocol 
stops. If there is no disqualification, each node Pe accepts se = <f>(£)- 

Rec Phase 

Any t + 1 or more nodes P» publish their accepted shares and witnesses (i,Si,Wi). 

All§j||i 1 (or more) nodes verify each of the broadcast shares {i,(j>(i),Wi) using 

VerifyEval and then interpolate the pairs (i, (f>(i)) to determine the secret s = (f)(0)- 


Fig. 1. eVSS: An efficient Feldman VSS using PolyCommit DL 


Our efficient Feldman VSS (eVSS) scheme runs Setup(l K , t) of PolyCommit DL 
once, which outputs PK = (Q,g,g a , . . . ,g a ). Further, as we are working in the 
synchronous communication model, a resiliency bound of n > 2i + 1 is required 
for VSS to provide correctness against a t-limited Byzantine adversary as the 
n — t honest nodes available during the Sh and Rec phases should at least be 
equal to f+1 (the required threshold). In Figure 1, we present eVSS that uses the 
PolyCommit DL scheme in the Feldman VSS. In the Sh and the Rec phases of the 
eVSS scheme, the VSS methodology remains exactly the same as that of Feldman 
VSS except here f+1 commitments of the form g*i for <p(x) = Xq=o ilf x ' are 
replaced by a single polynomial commitment C = g ^ a ) . I n addition, along with 
a share s,, P ( i now sends a witness Wi to node P,,. Overall, the eVSS protocol 
needs 0(1) broadcast instead of 0(n) required by the Feldman VSS. In case of 
multiple accusations, dealer P d can use the batch opening feature described in 
§3.4 to provide a single witness for the complete batch. Furthermore, due to the 
homomorphic nature of PolyCommit, the eVSS scheme can easily converted to a 
distributed key generation protocol [31]. 

Theorem 5. The eVSS protocol implements a synchronous VSS scheme with 
the VSS-S and VSS-SC properties for n > 2t + 1 provided the DL, t-SDH and 
t-polyDH assumptions hold in Q. 

We need to prove the secrecy, correctness and strong correctness properties of 
a synchronous VSS scheme. Secrecy and correctness result directly from Theo- 
rem 1, while Theorem 4 provides the strong correctness property. The secrecy 
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provided by eVSS is computational against a Abounded adversary, and uncon- 
ditional against a t — 1 bounded adversary. Share correctness is computational. 

PolyCommit DL can easily be replaced by PolyCommit Ped in the above eVSS 
scheme. In that case, we achieve the strong secrecy (VSS-SS) property due to 
the unconditional hiding property (Theorem 2) of PolyCom mit Ped . 

4.2 Nearly ZKSs and Nearly ZK-EDBs 

Micali et al. [27] define zero-knowledge sets (ZKSs). Basically a ZKS allows a 
committer to create a short commitment to a set of values S, such that he 
may later efficiently prove statements of the form kj C S or kj (jL S in zero- 
knowledge. No additional information about S is revealed. Perhaps the most 
challenging aspect in ZKS construction is that not even an upper bound on 
| S'] may be revealed. The closely related notion of zero-knowledge elementary 
databases (ZK-EDB) is also defined in [27]. Loosely speaking, an EDB is a list of 
key- value pairs, and a ZK-EDB allows a committer to prove that a given value 
is associated with a given key with respect to a short commitment. 

We argue that relaxing the requirements of a ZKS is sufficient for known 
applications, and show this leads to a significantly more efficient primitive. In 
particular, by not hiding |S|, the size of the proof that an element is (or is not) 
in a committed set is reduced by a factor of sixteen or more, when compared to 
the best known ZKS construction. 

Motivation. Much of the literature on ZKSs does not consider applications [12, 
13,19,25,33]. In the applications of ZKSs (and ZK-EDBs) suggested in [27] the 
size of the set (or DB) is not crucial to the intended security or privacy of the 
application. The applications given are to improve privacy and access control 
when the records of an EDB contain sensitive information about people, e.g., 
medical records. In such cases, revealing a bound on the number of records in the 
database clearly does not affect the privacy of an individual whose information 
is kept in the database. 

Another use of ZKSs and ZK-EDBs is for committed databases [30]. In this 
application, a database owner commits to the database and then proves for 
every query that the response is consistent with the commitment. For many 
applications the contents of the committed database must be hidden, but the size 
may be revealed. An example is given in Buldas et al. [9]. Here ZK-EDBs are used 
to increase the accountability of a certification authority by preventing it from 
providing inconsistent responses to queries about the validity of a certificate. 
Clearly, keeping the number of certificates hidden is not required. Therefore, a 
weaker type of ZKS primitive that does not hide the size of the set will suffice for 
most practical applications of ZKSs. We call a ZKS that may leak information 
about the size of the set a nearly ZKS. Similarly, a nearly ZK-EDB is a ZK-EDB 
that may leak information about the number of records it contains. 

Note that an accumulator also represents a set of values with proofs of mem- 
bership, and some even allow proofs of non-membership (e.g., see [17]). They do 
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SetupZKSf 1 K , t ) outputs PK = Setup! 1 K ' . t). t is an upper bound on the size of the 
set which may be committed. 

CommitZKS(PK, 5) requires |S| < t. Define <f>(x) = — kj) £ Z p [a-]. Out- 

put C = Commit(PK, 4>(x)). Let c/>(x) £ Z p [x] be the random degree t polyno- 
mial chosen in PolyCommit Pe(J . 

QueryZKS(PK,C, kj) allows the committer to create a proof that either kj £ S or 
kj 0 S. Compute {kj,</>(kj),4>(k 3 ),Wj^ = Create\N\tr\ess(PK,<f>(x),<j>(x),kj). 

(i) If kj £ S, output nsj = (kj,Wj,4>(kj),±.). 

(ii) If kj g S, create Zj = and a ZK proof of knowledge of 4>(k 3 ) 

and <j>(kj) in Zj = gWj) ffokj) . Let yj = (zj, ZK proof). Output 7r sj = 

(kj,Wj,±,yj). 

VerifyZKS(PK,C,7rsj) parses xsj as {kj,Wj,4>(kj),yj). 

(i) If <j>(k 3 ) ^ _1_, then kj £ S. Output 1 if VerifyEval(PK, C, kj, 0, (j>{kj), Wj) = 

1. 

(ii) If / ±, then kj 0 5. Parse yj as (zj, ZK proof). If e(C,g) = 
e(wj,g a ~ j )e{zj,g ), and the ZK proof of knowledge of Zj is valid, out- 
put 1. Output 0 if either check fails. 


Fig. 2. A nearly ZKS scheme based on PolyCommit Ped 

not however, guarantee hiding (the ZK property), in [17] after seeing responses 
to t non-membership queries we may recover the entire accumulated set. 

Construction of a Nearly ZKS. This construction (Figure 2) will use 
PolyCommit Ped , and allows us to commit to S C such that liS] < t. The 
basic idea is to commit to a polynomial </>, such that <P(kj) = 0 for kj £ S, and 
4>{kj) ^ 0 for kj 0 S. Our construction relies on a ZK proof that proves <p(kj) ^ 0 
without revealing <j)(kj) to maintain privacy for queries when kj £ S. Although a 
construction based on PolyCommit DL is also possible, we choose PolyCommit Ped 
as the required ZK proof is simpler in the latter case. For convenience we describe 
our protocols assuming the ZK proof is non-interactive, however, an interactive 
ZK proof may be used as well. 

A security definition and proof are provided in the full version. The ZK proof 
of knowledge may be implemented using any secure ZK proof system allowing 
proof of knowledge of a discrete logarithm (see [11] for examples). 

Construction of a Nearly ZK-EDB. This construction (Figure 3) makes 
use of the above nearly ZKS construction and PolyCommit DL . Let D = (K. V ) C 
Z* x Z‘ be a list of key-value pairs that will define the database (K and V are 
ordered lists of equal length such that the value rn, £ V corresponds to the 
key kj £ K). The values may repeat, but the keys must be distinct. We write 
D(kj) to denote the value associated to key kj (if kj # K, then D(kj) = T). The 
underlying idea of our construction is to commit to the keys using our nearly 
ZKS, and also commit to <j>, such that <j>{kj) = m.j, using PolyCommit DL , since it 
is sufficient for security and more efficient. The reason for using the nearly ZKS is 
to respond to queries when k £ D without revealing any additional information. 
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SetupEDB(l re , t) runs SetupZKS(l K , t), and outputs PK. 

CommitEDB(PK, D = (K, V)) sets C\ = CommitZKS(PK, K). It then interpo- 
lates the t (or fewer) points (kj.rnj) £ D, and one or more random points 
(k r ,m r ) Gr Z p x Z p to get a polynomial <j> 2 {x) G' Z p [x], assured to be of 
degree t. Set C2 = Commit(PK, 4>2{x)) and output £ = ( Ci,C2 ). 
QueryEDB(PK, £, kj) parses £ as (Ci,C2). 

(i) If kj £ K, compute nsj = QueryZKS(PK, Ci, kj) to show that kj £ K and 
(kj.rrij. w mi ) = CreateWitness(PK, cj> 2 (x), kj) to show that D(kj) = rrij. 
Output 7 TDj = (7 TSi,tnj, Wmj). 

(ii) If kj £ K, we show that kj 0 K, set 7 vsj = QueryZKS(PK, Ci, kj). Output 

7 TDj = ( 7T$j,±,± ). 

VerifyEDB(PK, £ ,iTDj) parses itDj as ( ‘KSj,Tnj,w rnj ) and £ as (Ci,C2). 

(i) If rrij ± _L, then kj £ K, output (fcy.my) if VerifyZKS(PK,Ci, 7rsy) = 1 
and VerifyEval(PK ,C 2 ,kj, mj,w mj ) = 1. 

(ii) If rrij = A, then kj £ K, output 1 if VerifyZKS(PK,Ci, rrsj) = 1. 


Fig. 3. A nearly ZK-EDB scheme constructed using our nearly ZKS construction 
(Figure 2) and PolyCommit DL 


Efficiency of our nearly ZKS and ZK-EDBs. The size of the commitment 
is a single group element for a nearly ZKS, or two elements for a nearly ZK- 
EDB. Proof that kj £ S, consists of two group elements, while proof that kj g S 
consists of about five group elements (when ZK proofs are implemented using 
a standard three-move ZK protocol, made non-interactive with the Fiat-Shamir 
heuristic). The proof sizes for our nearly ZK-EDB construction are three and 
about five group elements (respectively). 

The ZK-EDB in the literature with the shortest proofs is that of Libert and 
Yung [25] (based on their ZKS construction). Asymptotically, (non)membership 
proofs are 0(«/log(t)) bits, where k is a security parameter, and t is the size of 
the system parameters. For the parameter choices given [25], proof sizes range 
from 80-220 group elements. The computation of their scheme and ours is nearly 
equal. Therefore, using nearly ZK-EDBs in the place of ZK-EDBs reduces com- 
munication costs by at least a factor of sixteen. 

4.3 Credentials and Selective Disclosure of Signed Data 

In this section we briefly describe two applications of the PolyCommit schemes, 
and we will show how polynomial commitments can reduce communication costs. 
Both applications are based on the following idea. Suppose Alice has a list of 
values (mi, . . . , m t ), which will be signed by Trent. If Trent signs the concatena- 
tion, then Alice must reveal all to,; to allow Bob to verify the signature. However, 
if Trent signs C = Commit(PK, (b{x)) where </>(*) = rn, , then Alice may allow Bob 
to verify that Trent has signed m* without revealing the other rrij . Bob verifies 
the signature on C, and Alice produces a witness to prove that C opens to m, at 
position i, allowing Alice to convince Bob that Trent signed m t . 
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Content Extraction Signatures. If (mi, . . . ,m t ) are parts of a document, 
then signing a polynomial commitment is a content extraction signature (CES) 
scheme. Steinfeld et al. [35] introduce CES and give a generic construction of CES 
signatures. The scheme requires a standard commitment scheme, which is then 
used to commit to each of the t sub-messages (mi, . . . , m t ) individually, forming 
a vector of commitments, which is signed. The scheme is secure, provided the 
signature scheme is secure, and the commitment scheme is hiding and binding. 

Since both PolyCommit schemes are hiding and binding, and allow a list 
of messages to be committed, they can be used in the general construction of 
Steinfeld et al. Along with the commitment, Trent should also sign t so that Bob 

knows that only indices {1 ,t} correspond to valid sub-messages. The new 

scheme is nearly as communication efficient as a specific scheme in [35] which 
has the lowest communication cost. The latter, however, depends on specific 
properties of the RSA signature scheme and is secure in the random oracle model. 
Using a polynomial commitment scheme gives an efficient generic construction. 
Therefore, efficient standard model CES schemes are possible by combining any 
of the PolyCommit schemes with a signature scheme secure in the standard model. 

Pseudonymous Credentials. If (mi, . . . , rn t ) are attributes about Alice, and 
Trent is an identity provider, then the signature Alice holds on C is a digital 
credential that allows Alice to reveal only as much information as is necessary 
to complete an online transaction. Here, we create C using PolyCommit DL , as 
batched openings are efficient for PolyCommit DL . Disclosing a single rn, requires 
Alice to transmit ( C , Sign Trerlt (CJ, (i, m, , w,)), the size of which is independent of 
t. If Alice reveals a subset of the attributes, a single witness may be used to reduce 
communication even further using batch opening (described in §3.4). Further, if 
Trent signs multiple commitments to the same attributes (but includes an extra 
randomized attribute), Alice may present a different commitment to the same 
verifier unlinkably. 

For many interesting applications of credentials, selective show is insufficient 
because Alice would like to prove something about mi (e.g., to* < 1990) without 
revealing m, . Alice may prove knowledge of a nonzero committed value cp{i) 
without revealing it, and compose this proof with other proofs about m, using 
standard ZK proof techniques for proving knowledge of, relations between or the 
length of discrete logarithms [11]. Since the communication costs per attribute of 
proving knowledge of a committed value are constant, if k attributes are involved 
in showing a credential, the complexity of the show will be 0(k). In existing 
schemes the communication is 0(t) where t is the total number of attributes in 
the credential. Further details of this application are given in the full version of 
this paper. 


5 Open Problems 

Finally, we list a few open problems related to polynomial commitment schemes. 
1. Is it possible to construct efficient polynomial commitment schemes under 



Constant-Size Commitments to Polynomials and Their Applications 


193 


weaker assumptions? 2. What other protocols does PolyCommit improve? (For 
example, can PolyCommit reduce the communication of asynchronous VSS pro- 
tocols or verifiable shuffles?) 3. We have mainly focused on the communication 
costs, but our construction asks for nontrivial computation. Is it possible to 
reduce computation cost as well? 
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Abstract. We propose a dedicated protocol for the highly motivated 
problem of secure two-party pattern matching: Alice holds a text t € 
{0, 1}* of length n, while Bob has a pattern p e {0, 1}* of length m. 
The goal is for Bob to learn where his pattern occurs in Alice’s text. 
Our construction guarantees full simulation in the presence of malicious, 
polynomial-time adversaries (assuming that ElGamal encryption is se- 
mantically secure) and exhibits computation and communication costs 
of 0(n + m) in a constant round complexity. 

In addition to the above, we propose a collection of protocols for vari- 
ations of the secure pattern matching problem: The pattern may contain 
wildcards (O(nm) communication in 0(1) rounds). The matches may be 
approximated, i.e., Hamming distance less than some threshold (O(nm) 
communication in 0(1) rounds). The length, m, of Bob’s pattern is se- 
cret (O(nm) communication in 0(1) rounds). The length, n, of Alice’s 
text is secret (0(n + m) communication in 0(1) rounds). 

keywords: Pattern matching, secure two-party computation, full simu- 
lation, malicious adversary. 


1 Introduction 

In the setting of secure two-party computation, two parties with private in- 
puts wish to jointly compute some function of their inputs while preserving 
certain security properties like privacy, correctness and more. The standard 
definition jOLHlL IBea!)2l IMR91I ICanOdj formalizes security by comparing the 
execution of such protocol to an “ideal execution” where a trusted third party 
computes the function for the parties. Specifically, in the ideal world the par- 
ties just send their inputs over perfectly secure communication lines to a trusted 
party, who then computes the function honestly and sends the output to the des- 
ignated party. Then, a real protocol is said to be secure if no adversary can do 
more harm in a real protocol execution than in an ideal one (where by definition 
no harm can be done). 

Secure two-party computation has been extensively studied, and it has been 
demonstrated that any polynomial-time two-party computation can be generi- 
cally compiled into a secure function evaluation protocol with polynomial 
complexity jYaoHtil IGMW87I Kiol()4j . These results apply in various settings, 

M. Abe (Ed.): ASIACRYPT 2010, LNCS 6477, pp. 195- |-212| 2010. 

© International Association for Cryptologic Research 2010 


196 C. Hazay and T. Toft 


(considering semi- honest and malicious adversaries). However, more often than 
not, the resulting protocols are inefficient for practical uses (in part because they 
are general and so do not utilize any specific properties of the protocol problem 
at hand) and hence attention has been given to constructing efficient protocols 
for specific functions. This approach lias proved quite 1 successful for the semi- 
honest setting (see, e.g., |LP()‘2I IA M P04I IPN P04I IKS05I ITPKCOTj l. while the 
malicious setting remained impractical (a notable exception is |A M P04I ) . 

In this paper we consider the following classic search problem: Alice holds 
a text t £ {0,1}* of length n and Bob is given a pattern (i.e., search word) 
p £ {0,1}* of length m, where the sizes of t and p are mutually known. The goal 
is for Bob to learn all the locations in the text that match the pattern, while 
Alice learns nothing about the pattern. This problem has been widely studied 
for decades due to its potential applications for text retrieval, music retrieval, 
computational biology, data mining, network security, and many more. The most 
known application in the context of privacy is in compering two DNA strings; 
our example is taken from j( 1 11 S 1 01 . Consider the case of a hospital holding 
a DNA database of all the participants in a research study, and a researcher 
wanting to determine the frequency of the occurrence of a specific gene. This is a 
classical pattern matching application, which is however complicated by privacy 
considerations. The hospital may be forbidden from releasing the DNA records 
to a third party. Likewise, the researcher may not want to reveal what specific 
gene he is working on, nor trust the hospital to perform the search correctly. 

Although most of the existing solutions are highly practical they fail to achieve 
any level of security (if at all); see |Blo70lfR'MF77l lTT Vl77LIA('H,99lllNM()7j for just 
a few examples. In this work, we focus our attention on the secure computation 
of the basic pattern matching problem and several important variants of it. 

Our Contribution. We achieve efficiency that is a significant improvement on 
the current state of the art for the following problems: 

- Secure Pattern Matching. We develop an efficient, constant rounds 
protocol for this problem that requires 0(n + m) exponentiations and band- 
width of 0(n+m ) group elements. Our protocol lays the foundations for the 
following constructions. 

- Secure Pattern Matching with Wildcards. This problem is a known 
variant of the classic problem where Bob (who holds the pattern) introduces 
a new “don’t care” character to its alphabet, denoted by * (wildcard). The 
goal is for Bob to learn all the locations in the text that match the pattern, 
where * matches any character in the text. This problem has been widely 
looked at by researchers with the aim of generalizing the basic searching 
model to searching with errors. This variant is known as pattern matching 
with don’t cares and can be solved in 0[n + m) time jl R07j . In this paper, 
we develop a protocol that computes this functionality with O ( nm ) costs. 

- Secure Approximate Pattern Matching. In this problem the goal is 
for Bob to find the locations where the Hamming distance of the (text) 
substrings and the pattern is less than some threshold t < m. We design a 
protocol for this problem with 0(mn) costs. 
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- Secure Pattern Matching where the length of the pattern or 
the text remains hidden. Finally, we consider two variants with an ad- 
ditional security requirement of hiding the input length. Solutions for these 
problems can be achieved in 0(nm ) time. 

Our protocols are based on ElGamal encryption and are proven secure in the 
plain model under the standard DDH assumption and achieve full simulation in 
the presence of malicious adversaries. 

Prior Work. To the best of our knowledge, the first who considered pattern 
matching in the context of secure computation were jTPKC07j who considered a 
secure version of oblivious automata evaluation to achieve secure pattern match- 
ing. Their protocol implements the KMP algorithm IKMPVVj in the semi honest 
setting. Loosely speaking, the KMP algorithm works in 0(n ) time and searches 
for occurrences of the pattern within the text by employing the observation that 
when a mismatch occurs, the pattern embodies sufficient information to determine 
where the next match could begin. Their costs are linear in the input length. 

This problem was also studied by Hazay and Lindell in [HLflfij who used obliv- 
ious pseudorandom function (PRF) evaluation. However, their protocol achieves 
only a weaker notion of security called one-sided simulatability which does not 
guarantee full simulation for both corruption cases. The only construction to 
achieve full simulation in the malicious setting was developed by Gennaro et 
al. j(f HSIOj . They took a different approach to implement the KMP algorithm 
and described a protocol that rims in 0(m) rounds and requires 0(nm) expo- 
nentiations and bandwidth. 

Finally, a recent paper by Katz and Malka fKMIOj presents a secure solution 
for a generalized pattern matching problem, denoted text processing. Namely, 
the party who holds the pattern has some additional information y and his 
goal is to learn a function of the text and y, for the text locations where the 
pattern matches. They show how to modify Yao’s garbled circuit approach to 
obtain a protocol where the size of the garbled circuit is linear in the number 
of occurrences of p in t (rather than linear in |t|). Their costs are dominated by 
the size of the circuit times the number of occurrences u (as Pi sends u such 
circuits). Nevertheless, they assume a common input of some threshold on the 
number of occurrences. 

To the best of our knowledge, the only work which addresses one of the above 
variants is the work by Jarrous and Pinkas j.l F09| . In this work, the authors solve 
the hamming distance problem for two equal length strings against malicious 
adversaries. Their protocol requires a committed oblivious transfer for each bit. 
Moreover, the costs of their protocol are inflated by a statistical parameter s 
for running a subprotocol for the oblivious polynomial evaluation functionality 
(namely, the protocol requires 0(d ■ s ) exponentiations, where d is the degree 
of the polynomial, i.e., the input length). Finally, their protocol utilizes the 
Paillier encryption scheme and thus requires an RSA modulus with unknown 
factorization. Our protocol, on the other hand, takes a different approach and 
requires linear costs, for the case of equal length strings. 
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Efficiency. In addition to prior work, we compare our protocols to the generic 
garbling-technique by Yao (formally proved by Lindell and Pinkas) (bP()7| for se- 
cure computation of any functionality in the two-party setting. Recall that Yao’s 
protocol uses a Boolean circuit that computes the function, and its computa- 
tional complexity is linear in the size of the circuit. Note that computing the pat- 
tern matching functionality would require a circuit of size 0(nm), as the circuit 
will compare every pattern against every text location (As noted by mnsi, 
a circuit that implements the functionality for oblivious automata evaluation 
would require 0{mn log m) gates, thus the KMP technique does not contribute 
to efficiency here). Consequently, our protocol for the basic pattern matching 
functionality is more efficient than Yao’s construction even in the presence of 
semi-honest adversaries; this is also the case for other circuit based approaches. 
Organization of this paper. We first present the underlying primitives in 
Section 0 The following sections then contain our protocols. The basic protocol 
is presented in Section E3 This is then extended, first with wildcards in the 
pattern (Sectional) followed by approximate matching (Section EJ). Finally, the 
paper concludes with the protocols which hide the pattern and texts lengths 
(Sections El and 0) . 

2 Preliminaries and Tools 

Throughout the paper, we denote the security parameter by k. A function /x(-) 
is negligible in k (or simply negligible ) if for every polynomial p(-) there exists 
a value K such that /z(k) < for all k > K\ i.e., /x(k) = « _ “W. Let X = 
{A(k, a)} regN ae y 0 and Y = {Y(/t, a)} reeN ae y 01 j.» be distribution ensembles. 
We say that X and Y are computationally indistinguishable, denoted X = Y, if 
for every polynomial non-uniform distinguisher D there exists a negligible /i(-) 
such that for every n G N and a £ {0, 1}* 

|Pr[D(X( K , a)) = 1] - Pr[£>(Y(«, a)) = 1] I < /*(«)• 


2.1 The ElGamal Encryption Scheme 

At the core of the proposed protocols lies the additively homomorphic variation 
of ElGamal encryption - E p k(m,r ) = (g r , h r g m ) with distributed decryption 
over a group G q in which DDH is hard, |ElG85j . Essentially, we use the framework 
of Brandt jBra()5j with minor variations. We present the computation of the 
parties with respect to the ciphertext space, in particular, we write C r meaning 
( a r ,/3 r ) and C/C' meaning (a/a',/3/ 'f3') for ciphertexts C = (a, 3) and C' = 
( a',/3 '), and r £ Z q . 

2.2 Zero-knowledge Proofs for G q and ElGamal Encryption 

To prevent malicious behaviour, the parties must demonstrate that they are 
well-behaved. To achieve this, our protocols utilize zero-knowledge proofs of 
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knowledge. All of them are A-protocols (with constant communication complex- 
ity) which show knowledge of a witness that some statement is true (belong to 
a relation, 1Z) about one or more elements of G q . The IT protocols can be made 
secure against malicious verifiers using standard techniques; we denote the asso- 
ciated ideal functionalities for these protocols, P^ DL , JF^. EqDL , jF^. isBlt , P^. mult , 


^ P " m , and 


7 r DL , due to Schnorr, allows the prover to demonstrate knowledge of the solu- 
tion, x, to a discrete logarithm problem, jSch89| . 

ftoL = {((G q ,q,g,h),x) \h = g x } 

7T E q D L, due to Chaum and Pedersen, demonstrates equality of two discrete loga- 
rithm problems (as well as knowledge of the solution), |CP9dj . 

^e,dl = {((G q,q,gi,g 2 ,hi,h 2 ),x) \ hi = gf A h 2 = g%} 

Phrased differently, 7r EqDL demonstrates that a quadruple forms a Diffi e-Hellman 
tuple or, equivalently, that a ciphertext is an encryption of 0. 

TTisBit demonstrates that for ciphertext C, either C or C (l, </ _1 ) is an encryp- 
tion of 0, i.e. that it is an encryption of either 0 or 1. This can be obtained 
directly from 7r EqDL using the compound proof of Cramer et al. jCGS97| . 

n la Bit = {((G„ q, g , h, a, /3), (b, r)) | (a, (3) = ( g r , h r ■ g b ) A b e {0, 1}} 

7r mu it) due to Abe et al., demonstrates that a party, the prover P has performed 
a multiplication under the encryption correctly |ACFU2| . I.e. given ciphertext C, 
P, knowing /, has computed Cf = E pk (/, r/) and C n = C f ■ E pk (0, rv); clearly 
the plaintext of C„ is the product of the other plaintexts. 



Cf = (g rf ,h r f ■ g f ) A \ 
C n =Cf-(g^,h^) I 


TTperm allows a prover to demonstrate that a set of encryptions, {Ci} v is a per- 
mutation and rerandomization of the another, {C' i } i - i.e. that their plaintexts 
are equal. Any protocol will do, Groth’s solution jCroO.'ij is one possibility. 


= |(( S fc,{Q} i ,{Ci} i ) I (7r,{r i } i )) s.t. (a',/3') = 


7r nze demonstrates that the prover has obtained ciphertext C" from C, by raising 
C to a non-zero exponent and rerandomizing, i.e. C = C R ■ E pk (0, r). The tricky 
part when constructing a proof of knowledge for the relation, 

P nze = {((sM,|,<^, (R, r)) s.t. (a',0') = (a R g\p R h r ) A 0} , 

is to show that R^ 0. To do this, the prover, P, picks R' €r Z*, supphes the 
verifier with additional ciphertexts, Cr = E pk (R, tr), Cr’ = E pk (R'. tr<), and 
C., r = E pk (RR', rv ) , and executes 7r mult twice: on (C, Cr, C) and (Cr, Crj ,C w ). 
The prover then sends RR! to the verifier and demonstrates it is the plaintext 
of CV using 7r EqDL . Finally, the verifier checks that the RR! is non-zero. 
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The executions of 7r mult demonstrate that C' has been obtained from C through 
exponentiation, and that the plaintext of depends on R. 7r EqDL and the final 
check ensures that RR' ^ 0 implying that so is R. Hence the protocol demon- 
strates that C' has been obtained correctly. Further, since the verifier receives 
only ciphertexts along with RR' - which is uniformly random due to R' - 7r nze 
is zero-knowledge. 

2.3 Distributed ElGamal Encryption 

In a distributed scheme, the parties hold shares of the secret key so that the 
combined key remains a secret. In order to decrypt, each party uses its share to 
generate an intermediate computation which are eventually combined into the 
decryption. 

Note that the Diffie-Hellman key exchange jDH7fil can be used for generating 
a public key and an additive sharing of the corresponding secret key jPedfilj . 
The parties first agree on G q and g. Then, each party P, picks s t Gr and 
sends hi = g Si to the other. Finally, the parties compute h = hi ■ h -2 and set 
pk = (G q , q,g, h). Clearly the secret key associated with this public key is s = 
si + S 2 - In order to ensure correct behavior, the parties must prove knowledge 
of their Sj by running 7 t dl on ( g , hi). We denote this protocol by 7r KeyGen which 
is correlated with the functionality -F Kf ,yGe„(l r \ 1 K ) = ((pk, ski), (pk, sfo)). 

To decrypt a ciphertext C = (a, 9), the parties raise a to the power of their 
shares, send these to each other, and prove this was done correctly. Both then 
output /3/ ( 0 - 10 : 2 ). We denote this protocol by 7r D ec- Note that this protocol allows 
variation where only one party obtains the decrypted result. 

Our final primitive is a variation of 7r Dec where Pi learns whether the ciphertext 
m of the input C = (a, (3) is zero, but nothing more. P 2 first raises C to a random, 
non-zero power, rerandomizes the result, and sends it to Pi. The parties then 
execute 7r nze to let Pi verify P 2 ’s behavior. They then decrypt the final ciphertext 
towards Pi, who concludes that m = 0 iff the masked plaintext was 0. Simulation 
is trivial given access to •F^ c nze . We denote this protocol 7r dec0 and the associated 
ideal functionality P dec0 . 


3 The Basic, Linear Solution 


In this section we present our solution for the classic pattern matching problem. 
Initially, Alice holds an n-bit string t, while Bob holds an m-bit pattern, p and 
the parties wish the compute the functionality P PM defined by, 


((P, n), 


(t,m)) h 


({i 1 = p}j=r +1 

(A, A) 


, A) if \p\ = m and |t| = n 
otherwise 


where A is an empty string and tj is the substring of length m that begins at the 
jth position in t. This problem has been widely studied for decades due to its po- 
tential applications and can be solved in linear time complexity jKMP77ll5MT7j . 
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when no level of security is required. We examine a secure version for this prob- 
lem where Alice does not gain any information about the pattern from the pro- 
tocol execution, whereas Bob does not learn anything but the matched text 
locations. In our setting, the parties share no information (except for the in- 
put length), though it is assumed that they are connected by an authenticated 
communication channel, and that the inputs are over the binary alphabet. Ex- 
tending this to larger alphabets is discussed below. Our protocol exhibits overall 
linear communication and computation costs and achieves full simulation in the 
presence of malicious adversaries. 

Here and below, we have the parties jointly (and securely) transform their 
input from binary representation into elements of Z q (we assume that m < log 2 q', 
larger pattern-lengths can be accommodated, e.g. by increasing the plaintext 
space.), while exploiting the fact that every two consecutive substrings of the 
text are closely related. Informally, both parties break their inputs into bits 
and encrypt each bit separately. Next, the parties map every m consecutive 
encryptions of bits into a single encryption that denotes an m-character for which 
its binary representation is assembled from these m bits. Thus, the problem is 
reduced to comparing two elements of Z m (embedded into Z g ). The crux of our 
protocol is to efficiently compute this mapping. 

We are now ready to give a detailed description of our construction. 
Protocol 7 Tpm 

— Inputs: The input of Alice is a binary string t of length n and an integer to, 
whereas the input of Bob is a binary string p of length m and an integer n. The 
parties share a security parameter 1 K as well. 

— The protocol: 

1. Alice and Bob run protocol 7r K eyGen(l K , 1 K ) to generate a public key pk = 
(G„ q, g, h), and the respective shares sa and sb of the secret key sk of Alice 
and Bob. 

2. Bob sends encryptions Pi = E pk (pi;r Pi ), i = 1, . . . ,m, of his TO-bit pattern, 
p, to Alice. Further, for each encryption the parties run the zero-knowledge 
proof of knowledge 7Ti S Bit, allowing Alice to verify that the plaintext of Pi is 
a bit known to Bob, i.e. that he has provided a bit-string of length to. Both 
parties then compute an encryption of Bob’s pattern, 

p-Upf - 1 (i) 

using the homomorphic property of ElGamal encryption. 

3. Alice sends encryptions, Tj = E pk (tj ; rt t ) j = 1, . . . , n, of the bits tj of her n- 
bit text, t, to Bob. Further, for each encryption the parties run 7r iS Bit, allowing 
Bob to verify that the plaintext of Tj is a bit known to Alice, i.e. that she has 
indeed provided the encryption of a bit-string of length n that she knows. 

4. Let tj be the m-bit substring of Alice’s text t, starting at position j = 
1, ... ,n— to+ 1. For each such string both parties compute an encryption 
of that string, 

Tj <— J-J Tf 


(2) 
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5. For every Tj, j = 1, . . . , n — m + 1, both parties compute 

Aj <— Tj ■ P -1 . (3) 

6. For every Aj j = 1, . . . , n — m + 1, Alice and Bob reveal to Bob whether its 
plaintext 5j is zero by running 7r d eco ■ Bob then outputs j if this is the case. 

Correctness of 7t pm - Before turning to our proof, we explain the intuition 
and demonstrate that protocol 7t pm correctly determines which substrings of the 
text t match the pattern p. Recall that the value P that is computed in Eq. (QJ 
(Step El) is an encryption of Bob’s pattern, p = YmLi This follows from 

the homomorphic property of ElGamal encryption, 

P=f[ Pf' 1 = Evk (£ T-V, £ 2*“%^ • (4) 

Note that P is obtained deterministically from the Pi, hence both Alice and Bob 
hold the same fixed encryption. Similarly, in Eq. @ computed in Step EJ the 
parties compute encryptions of the substrings of length m of Alice’s text, 

j+m-l 

ij= E 2i ~ j u, 

i=j 

see a detailed discussion in the complexity paragraph regarding the efficiency 
of this step. As with P, the parties hold the same, fixed encryptions (with ran- 
domness rj. = E=y ~ 1 2* ' ?r ii). The encryption Aj computed by Eq. Q is an 
encryption of Sj = tj — p, i.e. the (Z q ) difference between the substring of the 
text starting at position j and the pattern. 

Aj=fj.P~ l 

— Epk (tj p, Vfj T"p) 

At this point, it simply remains for Bob to securely determine which of the Aj 
are encryptions of zero, as 

Sj = 0 <£> tj = p. 

Security of 7t pm . We are now ready to prove the following theorem, 

Theorem 1 (linear pattern matching): Assume that 7r KeyGen , 7r dec0 and 7r lsB it are 
as described in Section 03 and that ( G,E,D ) is the ElGamal scheme. Then 7t pm 
securely computes f PM in the presence of malicious adversaries. 

Proof. We separately prove security in the case that Alice is corrupted and the 
case that Bob is corrupted. Our proof is in a hybrid model where a trusted party 
computes the ideal functionalities JF KeyGB „, P dec0 and 
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Bob is corrupted. Let A denote an adversary controlling Bob. In this case we 
need to prove that Bob does not learn anything but the matching text locations. 
We construct a simulator S as follows, 

1. S is given a pattern p of length m, an integer n and A’s auxiliary input and 
invokes A on these values. 

2. S emulates the trusted party for 7r KeyGen as follows. It first chooses two ran- 
dom elements sa,sb G G q and hands A, its share sb and the public key 
(G q ,q,g,h = g SA ' SB ). 

3. S receives from A, m encryptions and A’s input for the trusted party for 
J'^ isBit . If the conditions for which the functionality outputs 1 are not met, 
S aborts by sending _L to the trusted party for P PM and outputs whatever 
A outputs. 

4. Otherwise, S defines P according to the witness for 7r laB it and sends it to its 
trusted party. Let Z be the set of returned indices. 

5. S defines a text t' that is consistent with Z. That is, for every j € Z, S 

defines the substring t' = = p rn . For the remaining indices S 

uses the bit one. (S verifies that the only matches in f! indeed correspond 
to the indices from set Z). S completes the execution as the honest Alice 
would on input t'. 

6. If at any point A sends an invalid message S aborts, sending T to the trusted 
party for f PM . Otherwise, it outputs whatever A does. 

It is immediate to see that S runs in probabilistic polynomial time. We prove next 
that the adversary’s views are computational indistinguishable via a reduction 
to the security of ElGamal. Recalling that the only difference within these views 
is with respect to the text locations that do not match the pattern, (as S uses the 
bit one instead of the actual bit value from t ) we reduce the ability to distinguish 
these views to the ability to distinguish the encryptions of the real text against 
the simulated one for these locations. 

Assume there exists a distinguisher D for these executions, we construct a 
distinguisher D e breaking the semantic security of ElGamal encryption as fol- 
lows. Upon receiving a public key pk and auxiliary input t, De engages in an 
execution of 7r K e y Gen with A and sends it ( ss,pk ) where sb &r Z g . De continues 
emulating the role of Alice as S does except for Step 01 where it needs to send 
the encryptions of t \, . . . , t n . In this step De outputs two sets of plaintexts: (i) 
ti, ... ,t n and, (ii) ... ,t' n - We denote by Ti, . . . , T n the set of encryptions it 
receives back. De hands A this set and completes the run as follows. In Step El 
De replaces Aj with an encryption of zero if and only if j £ Z. Otherwise, De 
sends an encryption of a random value in Z*. Clearly, this step is computed 
differently than in both the hybrid and simulated executions. Nevertheless, we 
claim that the distributions on the encryptions are identical. This is due to the 
fact that for every matched text location the masking result equals zero, and for 
every non-matching text location the masking result equals a random element 
of Z*. Hence, the adversary’s views are identical. 

Finally, De invokes D on A’s output and outputs whatever D outputs. Note 
that if De is given the encryptions of t then the adversary’s view is distributed 
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as in the hybrid execution. Moreover, if it receives an encryption of t', then the 
adversary’s view is as in the simulation with S. 

Alice is corrupted. Since Alice does not receive any output from the execution, 
we only need to prove that privacy is preserved, and that Bob’s output cannot be 
affected (except with negligible probability). The proof follows the outlines of the 
former case. Therefore, due to space considerations we omit the details here. 

Complexity of 7r PM - The round complexity is constant, as the key generation 
process and the zero knowledge proofs run in constant rounds. Further, the 
number of group elements exchanged is bounded by 0(n + m), as there are 
n—m+1 substrings of length to and each zero-knowledge proof requires constant 
number of group elements. 

Regarding computational complexity, it is clear that except for Step 0| at 
most 0(m + n ) exponentiations are required. Note first that Eq. @ can be 
implemented using the square and multiply technique. Namely, for every j = 
1, . . . , n — m+ 1, Tj is computed by (. . . (( Tj ) 2 • T) +1 ) 2 • Tj+2 • • -) 2 • 

This requires 0(m ) multiplications for each text location, which amounts to 
total 0(nm) multiplications for the entire text. Reducing the number of multipli- 
cations into 0(n ) (on the expense of increasing the number of exponentiations) 
can be easily shown. Loosely speaking, in addition to sending an encryption of 0 
or 1 for each text location, Alice sends an encryption of 0 or 2 m , respectively, and 
proves consistency. From practical point of view, it may be much more efficient 
to compute O(m) multiplications for each location, than proving this consistency 
(even though it only requires a constant number of exponentiations.) 

Finally, note that our protocols utilize ElGamal encryption which can be 
implemented over an elliptic curve group. This may reduce the modulus value 
dramatically, as now only 160 bits are typically needed for the size of the key. 

3.1 Variations 

Non-binary alphabets. Alphabets of larger size, s, can be handled by encod- 
ing the characters as elements of Z s and using s-ary rather than binary notation 
for the Tj and P. Proving in ZK that an encryption contains a valid character 
is straightforward, e.g. it can be provided in binary (which of course requires 
O(logs) encryptions). 

Long patterns. When the pattern length, to, (or the alphabet size, s ) is 
large, requiring q > s m may not be acceptable. This can be avoided by encoding 
the pattern p and substrings tj into multiple Z q values, {p^}i,{t^}j. Having 
computed encryptions {A,;},; of the differences {Si = pW _ Alice raises 

each encryption to a random, non-zero exponents r % , rerandomizes them and 
sends them to Bob (and proves that everything was done correctly) . The parties 
then executes 7r dec0 on the product of these encryptions and Bob reports a match 
if a 0 is found. Note that the plaintext of this product is JT r j • 6i. Thus, if the 
pattern matches, all Si = 0 implying that this is an encryption of 0. If one or 
more Si ^ 0, then the probability of this being an encryption of 0 is negligible. 
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Hiding match locations. It may be required that Bob only learns the number 
of matches and not the actual locations of the hits. One example is determining 
how frequently some gene occurs rather than where it occurs in some DNA 
sequence. This is easily achieved by simply having Alice pick a uniformly random 
permutation and permute (and rerandomize) the Aj of Eq. Q . The encryptions 
are sent to Bob, and 7T perm is executed, allowing him to verify Alice’s behavior. 
Finally, 7r dec0 is run and Bob outputs the number of encryptions of 0 received. 

Correctness is immediate: An encryption of 0 still signals that a match oc- 
curred. However, due to the random permutation that Alice applies, the locations 
are shuffled, implying that Bob does not learn the actual matches. 


4 Secure Pattern Matching with Wildcards 


The first variant of the classical pattern matching problem allows Bob to place 
wildcards, denoted by *, in his pattern; these should match both 0 and 1. More 
formally, the parties wish the compute the functionality T ? M _* defined by, 


((p,n),(i,m)) 


(l? I Aj «#}i=r +1 »A) if M = m and \t\ = n 
(A, A) otherwise 


where tj is the substring of length m that begins at the jth position of t and = 
is defined as “equal except with respect to ^-positions.” This problem has been 
widely looked at by researchers with the aim to generalize the basic searching 
model to searching with errors. This variant is known as pattern matching with 
don’t cares and can be solved in 0(n + m ) time (TK.OVj . The secure version of this 
problem guarantees that Alice will not be able to trace the locations of the don’t 
cares in addition to the security requirement introduced for the basic problem. 

The core idea of the solution is to proceed as in the standard one with two ex- 
ceptions: Bob must supply the wildcard positions in encrypted form, and the sub- 
strings of Alice’s text must be modified to ensure that they will match (i.e. equal) 
the pattern at those positions. Achieving correctness and ensuring correct be- 
havior requires substantial modification of the protocol. Intuitively, for every 
m-bit substring tj of t, Bob replaces Alice’s value by 0 at the wildcard positions 
resulting in a string A'-, see Step El below. Similarly, a pattern pf is obtained from 
p by replacing the wildcards by 0. Clearly this ensures that the bits of A'- and p' 
are equal at all wildcard positions. Thus, A'- = p' precisely when tj equals p at 
all non-wildcard positions. 

Protocol 7Tpm-* 

— Inputs: The input of Alice is a binary string t of length n and an integer m, 
whereas the input of Bob is a string p over the alphabet (0, 1,*} of length m and 
an integer n. The parties share a security parameter 1 K as well. 

— The protocol: 

1. Alice and Bob run protocol 7r K e y Gen(l' t , 1 K ) to generate a public key pk = 
(G q , q, g. h), and the respective shares sa and sb of the secret key sk. 
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2. For each position i = 1, . . . , m, Bob first replaces * by 0 


Pi 


1 if pi = 1 
0 otherwise 


He then sends encryptions P{ = E p k{p'i, ry ) for i = 1, . . . , m to Alice, and for 
each one they execute 7Ti S Bit- Finally, both parties compute an encryption of 
Bob’s “pattern” in binary, 


f'-IK'' 


3. 


For each position i — I , rri of Bob’s pattern, he computes 
the occurrences of a *, 


JO if P i = * 

1 1 otherwise 

He then encrypts these and sends the result to Alice, 


bit denoting 


and the two run 7r i8 Bit for each one. 

4. For each i = 1, . . . ,m, Bob and Alice run 7r iS Bit on Wi/P'. This demonstrates 
to Alice that if p\ is set, then so is Wi, i.e. that only 0’s occur at wildcard 
position. 

5. Alice supplies her input as in Step 0 of Protocol 7 t P m in Sectional She sends 
encryptions, Tf = E p k(tj\ rt j ) j = 1, ■ ■ • , n. of the bits of t to Bob. Then the 
parties run 7Ti S Bit for each of the encryptions. 

6. For every entry i = 1, . . . , m of every m-bit substring of t starting at position 
j =s 1, . . . , n — m + 1, Bob computes an encryption 

(0 ,r w ). 

He sends these to Alice, and they run 7r rou i t on each triple . 

allowing Alice to verify that Bob has correctly multiplied the plaintexts of the 
Wi onto the Tj + »_i. Both parties then compute encryptions of the modified 
substrings of Alice’s text 

7. The protocol concludes as Protocol 7 t P m does. For each of the Tj where j = 
1, . . . , n — m + 1, the parties compute 

Aj <- T- ■ P’~\ 

and run 7r d eco- This reveals to Bob which of plaintexts Sj are 0. For each Sj = 0 
he concludes that the pattern matched and outputs j. 

To see that the protocol does not introduce new opportunities for malicious be- 
havior, first note that Alice specification is essentially as in the basic protocol 
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7t pm . Regarding Bob, the proofs of correct behavior limit him to supplying an in- 
put that an honest Bob could have supplied as well. Bob’s input, p(i = 1, ... ,m, 
is first shown to be a bit string, Step El The invocations of 7r IaB i t of Step El then 
ensure that so is the “wildcard string.” Finally, in Step 0 it is verified that for 
each wildcard pi of p, p\ = 0. In other words, there is a valid input where the 
honest Bob would send encryptions of the values that the malicious Bob can 
use. The only remaining option for a malicious Bob is in Step El however, the 
invocations of 7r muU ensure his correct behavior. Formal simulation is analogous 
to that in Section El We state the following theorem: 

Theorem 2 (wildcards): Assume that TT KeyGen , n dec0 , 7r la Bit, and 7r mu i t are as de- 
scribed in Section 03 and that ( G , E, D) is the ElGamal scheme. Then 7t pm _„ 
securely computes ,F PM _* in the presence of malicious adversaries. 

Regarding complexity, clearly the most costly part of the protocol is StepElwhich 
requires Bob to sends 0 ( nm ) encryptions, Tj.i to Alice, as well as an invocation 
of 7T mu i t for each of them. Hence, communication and computation complexity is 
increased to O (nm), while round complexity remains constant. 

5 Secure Approximate Matching 

The second variation considered is approximate pattern matching: Alice holds an 
n-bit string t, while Bob holds an ro-bit pattern p. The parties wish to determine 
approximate matches - strings with Hamming distance less than some threshold 
t < to. This is captured by the functionality E APM defined by, 

f (O' I S H ( tj,p ) < r}”r 1 m+1 , A) if |p] = m > r = t' 

((p, n,r), (t, TO,T / )) < and |f| = n 

( (A, A) otherwise 

where Sh denotes Hamming distance and tj is the substring of length m that 
begins at the jth position in t. We assume that the parties share some threshold 
t £ N. Note that this problem is an extension of pattern matching with don’t 
cares problem introduced in Section 01 Bob is able to learn all the matches within 
some error bound instead of learning the matches for specified error locations. 

Two of the most important applications of approximate pattern matching 
are spell checking and matching DNA sequences. The most recent algorithm 
for solving this problem without considering privacy is by Amir et al. jAbPOOj 
which introduced a solution in time 0(n\Jr log r). Our solution achieves 0(nm) 
computation and communication complexity. 

The main idea behind the construction is to have the parties securely supply 
their inputs in binary as above. Then, to determine the matches, the parties 
first compute the (encrypted) Hamming distances hj using the homomorphic 
properties of ElGamal encryption (Steps El and El) • They then check whether 
hj = k for each k < r. To avoid leaking information, these results are permuted 
before the final decryption. 
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Protocol itapm 

— Inputs: The input of Alice is a binary string t of length n, an integer m and a 
threshold r', whereas the input of Bob is a binary string p of length m , an integer 
n and a threshold r. The parties share a security parameter 1 K as well. 

— The protocol: 

1. Alice and Bob run protocol TTKeyGei^l”, 1 K ) to generate a public key pk = 
(G q , q , g, h), and the respective shares sa and sb of the secret key sk. 

2. Alice sends Bob r' and the parties continue if r = r' . 

3. As in the basic solution, Bob first sends encryptions Pi = E pk (pi\r Pi ) i = 
1, ... ,m, of the bits of his m-bit pattern, p, to Alice. They then run 7r 1S Bit for 

4. Alice similarly provides encryptions, Tj = E pk ( tj ',rt } ) § = 1, . . . , n of her input 
as in 7 t P m; for each one the parties execute 7r iS Bit. 

5. For every entry i = l,...,mof every m-bit substring of t starting at position 
j =§ ty- . • , n — m + 1, Bob computes an encryption 

n i,i^T^ v E pk ( 0,rj,i). (5) 

He sends these to Alice, and for each triple (T,+i_i , P,. n :h ,) the parties run 
7Tmuit. This allows Alice to verify that Bob has correctly multiplied the plain- 
texts of the Pi onto the Tj+ »_i. 

6. For every entry * = 1, . . . , m of every m-bit substring of t starting at position 
j = I, . . . , n — m + 1, both parties compute encryptions Xj 

Xf ti <- T j+i - 1 ■ Pi ■ 11 J. 

Note that as the plaintext of Iljj is prtj+i .i, the plaintext of Xj,i isp<©tj+j_i. 
For every j = 1, . . . , n — m + 1 - i.e. for every substring - both parties compute 

7. For every k = 0, . . . , r — 1 (i.e. for every Hamming distance which would 
be considered a match) and for every substring of length m starting at j = 
1, ... ,n— m+1, both parties compute 

Ahfc Hj ■ (l,p _fc ) . (6) 

8. For every j = 1, . . . , n — m + 1, Alice picks a uniformly random permutation 
■Kj : Z T — ► Z T and applies i Tj to the set {Aj^k} k , 

rerandomizes all encryptions, 

Aj ik A' ]<k ■ E pk (0, r 3<k ) 

for j « . . . ,n — m + 1 and k = fl, . . . , r — 1, and sends the A" k to Bob. 

For every permutation, j = 1, . . . , n — m + 1, the parties execute 7r pe rm on 
((Aj,o, ■ ■ ■ , Aj t T- 1) , (A " 0 , . . . , A"^^)) allowing Bob to verily that the plain- 
texts of the A" k correspond to those of the Aj ik for all (fixed) j. 
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9. Finally, Alice and Bob execute 7Tdeco on each A” k for j = 1, . . . , n — m + 1 
and k = 0, . . . , r — 1. This reveals to Bob which plaintexts 8j,k are 0. He then 
outputs j iff this is the case for one of <S" 0 , ■ • ■ , i- 

Correctness follows from the intuition: The plaintexts of the Hj from Equa- 
tion Q are the sum of the ones of the X 1/t i = 1 , ... ,m. I.e. it is the number 
of differing bits of p and tj - the Hamming distance - as the plaintext of X 3i is 
tj+i - 1 + Pi~ 2 • tj +i - 1 • Pi = t j+ i-i © Pi. 

Each threshold test is performed using r tests of equality, one for each possible 
value k < t, where each test simply subtracts the associated k from Hj under the 
encryption, Eq. ©, at which point the parties may mask and decrypt towards 
Bob. Note that the standard masking combined with the permutation of Step |BI 
ensures that for every potential match, Bob either receives r uniformly random 
encryptions of random, non-zero values, or r — 1 such encryptions and a single 
encryption of zero. Hence we state the following theorem: 

Theorem 3 (approximate): Assume that n dec0 o,nd Tsuit , and, 7r mu i t are 

as described in Section^ and that (G, E. D) is the ElGamal scheme. Then 7r APM 
securely computes T APM in the presence of malicious adversaries. 

Regarding complexity, the most expensive steps are those associated with com- 
puting the Hamming distances, Steps 0 and El as there are Q(nm) n :hi and Xjj. 
The concluding steps - computing, randomizing (permuting), and decrypting the 
Ajj, - require 0(nr) work, however, as r < m this is no more expensive. Hence 
overall communication and computation is 0(mn), while round complexity is 
constant as in the previous solutions. 

6 Hiding the Pattern Length 

Here Alice is not required to know the length m of Bob’s pattern, only an upper 
bound M > to. Moreover, she will not learn any information about m. More 
formally, the parties wish to compute the functionality JF PM _ hp , defined by, 


tj = p}” = ^" +1 , A) if |p| < M and |t| = n 



((p,n),(t,M)) i * 


otherwise 


where tj is the substring of length m that begins at the jth position in t. A pro- 
tocol 7Tp M _ hp i that realizes J^M-hpi can be obtained through minor alterations of 
ttpm-*. Due to space constraints we only sketch these, and postpone the detailed 
description and simulator proof to the full version of the paper. 

The main idea is to have Bob construct a pattern p of length M by padding 
p with M — m wildcards. Though not completely correct, intuitively, executing 
ttpm-. on input ((p, n) , ( t,M )) provides the desired result, as the wildcards en- 
sure that the irrelevant postfixes of the tj are “ignored.” There are two reasons 
why this does not suffice. Firstly, the wildcards of 7r PM _, mean match any char- 
acter, however, matches must also be found when the wildcards occur after the 
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end of the text (where there are no characters). Secondly, a malicious Bob must 
not have full access to wildcard-usage - i.e. he must not be able to arbitrarily 
place wildcards, they must occur only at the end of p. 

— Matching tj when j > n — M + 1: The solution to the former problem 
is completely straightforward: extend (pad) t with symbols that only match 
wildcards. Going into more detail, first let N = n + M — 1. The parties pad 
Alice’s encrypted text, T \, . . . ,T n with M — 1 default encryptions of 2, 

T n+1 = ... = T N = (l,g 2 ). 

Then, rather than use a binary representation for the encryptions P' and Tj 
(Steps 0 and El of 7 t pm _„), we use a ternary representation 

M ,_ i j+M-1 

, Tj^ n Tfi'- 

fel i—j 

Intuitively, this works as we have simply extended our alphabet with an 
additional character, 2. 

— Ensuring a proper p: To prevent malicious behavior, Bob should demon- 
strate to Alice that p has been properly constructed, i.e. that all wildcards 
occur at the end of the pattern. This can be done by showing that wi, ... , wm 
is monotonically non-increasing, i.e. that a 1 (non-wildcard) never follows a 
0 (wildcard). Bob can demonstrate this fact by executing 7r laBlt on Wj/Wj+i 
for i a* 1,, . . , M — 1. 

Complexity is equivalent to 7t pm _,. We conclude with the following theorem, 

Theorem 4 (pattern length hiding): Assume that 7r KeyGen , 7r Deo , 7r iaBU , and 7r mult 
are as described in Section 0 and that ( G , E, D ) is the ElGamal scheme. Then 
TTpM-hpi securely computes TpM-hpi the presence of malicious adversaries. 


7 Hiding the Text Length 


The final variant does not require Bob to know the actual text length n, only an 
upper bound N >n. Moreover, he learns no information about n other than what 
can be inferred from the output. This property is desirable in applications where 
it is crucial to hide the size of the database as it gives away sensitive information. 
More formally, the parties wish the compute the functionality T PM -htij 




(t, m)) | 


({j i tj = p>"=r +1 

(A, A) 


, A) if |p| = to and |t| < N 
otherwise 


where tj is the substring of length to that begins at the jtli position in t. 

Due to space constraints, we only sketch the solution. The core idea is to 
have Alice pad her text with N — n 2s, and then demonstrate that any 2s occur 
at the end. The details of the solution are similar to those of 7Tp M _ hpl above. 
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Regarding complexity, it can be shown that only 0(N + m) encryptions change 
hands, hence only this many zero-knowledge proofs of knowledge are needed as 
well; i.e. communication and computation complexity are linear. The required 
number of rounds is constant. 

Theorem 5 (text length hiding): Assume that n KByOBn , 7r dec0 o,nd 7r lsB it are as 
described in Section^ and that ( G,E,D ) is the ElGamal scheme. Then 7r PM _ htl 
securely computes tF PM -hti in the presence of malicious adversaries. 
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Abstract. Private Set Intersection (PSI) protocols allow one party (“client”) to 
compute an intersection of its input set with that of another party (“server”), such 
that the client learns nothing other than the set intersection and the server learns 
nothing beyond client input size. Prior work yielded a range of PSI protocols se- 
cure under different cryptographic assumptions. Protocols operating in the semi- 
honest model offer better (linear) complexity while those in the malicious model 
are often significantly more costly. In this paper, we construct PSI and Authorized 
PSI (APSI) protocols secure in the malicious model under standard cryptographic 
assumptions, with both linear communication and computational complexities. 
To the best of our knowledge, our APSI is the first solution to do so. Finally, we 
show that our linear PSI is appreciably more efficient than the state-of-the-art. 


1 Introduction 

Private set intersection (PSI) protocols allow two parties - a server and a client - to 
interact on their respective input sets, such that the client only learns the intersection 
of the two sets, while the server learns nothing (beyond the client input set size). PSI 
addresses several realistic privacy issues. Typical application examples include: 

1. Aviation Security: The U.S. Department of Homeland Security (DHS) needs to 
check whether any passenger on each flight from/to the United States must be 
denied boarding or disembarkation, based on so-called Terror Watch List. Today, 
airlines surrender their entire passenger manifests to DHS, together with other sen- 
sitive information, such as credit card numbers. Besides privacy implications, this 
modus operandi poses liability issues with regard to (for the most part) innocent 
passengers’ data and concerns about potential data losses. Ideally, DHS would ob- 
tain information only pertaining to passengers on the list, while not disclosing any 
information to the airlines. 

2. Healthcare: Insurance companies often need to obtain information about their in- 
sured patients from other parties, such as other insurance carriers or hospitals. The 
former cannot disclose the identity of inquired patients, whereas, the latter cannot 
provide any information on other patients. 

3. Law Enforcement: Investigative agencies (e.g., the FBI) need to obtain informa- 
tion on suspects from other agencies, e.g., local police departments, the military, 
DMV, IRS, or employers. In many cases, it is dangerous (or simply forbidden) for 
the FBI to disclose subjects of investigation. For their part, other parties cannot 
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disclose their entire data-sets and need the FBI to access only desired information. 
Also, the FBI requests might need to be pre-authorizedby some appropriate trusted 
authority (e.g., a federal judge, via a warrant). This way, the FBI can only obtain 
information related to legitimate requests. 


1.1 Adversaries in PSI 

Over the last years, PSI-related research has yielded several PSI constructs, with a 
wide range of adversarial models, security assumptions, and efficiency characteristics. 
One major distinguishing factor is the adversarial model which is typically either semi- 
honest or malicious. (Note that, in the rest of this paper, the term adversary refers to 
insiders, i.e., protocol participants. Outside adversaries are not considered, since their 
actions can be mitigated via standard network security techniques.) 

Following Goldreich’s definition IKioKHI . protocols secure in the presence of semi- 
honest adversaries (or honest-but-curious) assume that parties faithfully follow all pro- 
tocol specifications and do not misrepresent any information related to their inputs, e.g., 
set size and content. However, during or after protocol execution, any party might (pas- 
sively) attempt to infer additional information about the other party’s input. This model 
is formalized by requiring that each party does not learn more information that it would 
in an ideal implementation relying on a trusted third party (TTP). 

In contrast, security in the presence of malicious parties allows arbitrary deviations 
from the protocol. In general, however, it does not prevent parties from refusing to 
participate in the protocol, modifying their private input sets, or prematurely aborting 
the protocol. Security in the malicious model is achieved if the adversary (interacting 
in the real protocol, without the TTP) can learn no more information than it could in 
the ideal scenario. In other words, a secure PSI emulates (in its real execution) the ideal 
execution that includes a trusted third party. This notion is formulated by requiring 
the existence of adversaries in the ideal execution model that can simulate adversarial 
behavior in the real execution model. 

1.2 Authorized (Client) Input 

Malicious parties cannot be prevented from modifying their input sets, even if a pro- 
tocol is proven secure in the malicious model. Considering that the client learns the 
intersection while the server learns nothing, this appears a severe threat to server’s pri- 
vacy. For instance, suppose that a malicious client faithfully follows the protocol, but 
populates its input set with its best guesses of the server set (especially, if the set is easy 
to exhaustively enumerate). This would maximize the amount of information it learns. 
In the extreme case, the client could even claim that its set contain all possible elements. 
Although the server could impose a limit on this size, the client could still vary its set 
over multiple protocol runs. 

We claim that this issue cannot be effectively addressed without some mechanism to 
authorize client inputs. Consequently, a trusted certification authority (CA) is needed to 
certify input sets, as proposed in liP.IK.TU9l ICZ09I . This variant is called “Authorized 
Private Set Intersection” (APSI) in HPT 101 . Note that the CA is an off-line entity; it is 
neither trusted, nor involved in, computing the intersection. 
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As discussed above, input authorization ensures that malicious clients cannot ma- 
nipulate their inputs to harm server privacy. However, this does not help at all as far 
as manipulation of server inputs. One way towards security against malicious servers 
would be to introduce authorization for server input, along the same lines as client input 
authorization. Although this would likely yield protocols secure in the malicious model, 
we choose not to pursue this direction. The main reason is that, it is more natural for 
the client (who learns the intersection) to be authorized on its input, than for the server 
(who learns nothing). However, though it is outside the scope of this paper, we believe 
that enforcing both server and client input authorization is a subject worth investigat- 
ing. Finally, we leave as an open question whether we can reduce security of PSI in the 
malicious model to authorization of both client and server inputs. 

1.3 Technical Roadmap and Contributions 

Over the last few years, several elegant (if not always efficient) PSI and APSI proto- 
cols have been proposed, that are secure in the malicious model, under standard as- 
sumptions [KS05 HL08 DSMRY09, CZ09 CKRS09, HN10|. Only [JL09| presents a 
linear-complexity PSI protocol secure in the malicious setting. Its proof requires that 
the domain of inputs to be restricted to polynomial in the security parameter and re- 
quires a Common Reference String model (CRS), where the reference string, including 
a safe RSA modulus, must be generated by a mutually trusted third party. Other re- 
sults (such as jDTffl l construct linear-complexity PSI and APSI protocols secure in 
the semi-honest model, under assumptions of the one-more-XXX type IBNPS03I . with 
much lower computational and communication complexity. (Note that we overview 
prior work in Section 01. As shown in IDT Hi . via both analysis and experiments, there 
is an appreciable efficiency gap between the two “families” of PSI/APSI protocols: 
those secure in the malicious and in the semi-honest models. In this paper, our main 
goal is to construct efficient PSI and APSI protocols secure under standard assump- 
tions, with malicious participants (both server and client). 

Our starting point are the linear-complexity protocols from (specifically, 

Figure 2 and 3), which are secure only in the semi-honest model. First, we modify 
the APSI construct of llt)T i 01 and obtain APSI protocol secure in the malicious model, 
under the standard RSA assumption (in ROM). Then, we modify its PSI counterpart: 
while the linear-complexity PSI protocol in lID'l'ld is secure under the One-More-Gap- 
DH assumption lffsNPS()3ll against semi-honest parties, our modified variant is secure in 
the malicious model under the standard DDH assumption (again, in ROM). We present 
formal proofs for all proposed protocols. 

Contributions of our work are: 

1 . To the best of our knowledge, our APSI protocol is the first result with linear com- 
munication and computational complexity, in the malicious model. (Previous work 
achieved quadratic computational complexity.) 

2. Our PSI protocol also offers linear complexity. Although some prior work (i.e., 
UL09D also achieves the same asymptotic bound, we do not require the CRS model 
and our proof does not restrict input domain size. We also show that our protocol 
incurs significantly reduced constant factors. 
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3. We prove security of proposed protocols, in presence of malicious adversaries, un- 
der standard cryptographic (RSA and DDH) assumptions, in ROM. 

Organization. Section 0 overviews previous work. Then, after some preliminaries in 
Sectional we present our constructions in Sections 0 and 0 Next, Section 0 discusses 
the efficiency of our constructs and Section [^concludes the paper. 

2 Related Work 

This section overviews prior work on PSI and APSI. 

2.1 Prior Work on PSI 

It is well known that PSI could be realized via general secure two-party computa- 
tion IIYao82l . However, it is usually far more efficient to have dedicated protocols 
(see IFNP04I IKS05I ): which is the direction we pursue in this paper. From here on, 
we consider PSI as an interaction between a server S and a client C. The server set 
contains w items, while the client set - v. 

Freedman, et al. IFNP04I introduce the concept of PSI and presented protocols based 
on Oblivious Polynomial Evaluation (OPE) lINPM . The basic idea is to represent a set 
as a polynomial, with individual elements as its roots. The construction for the semi- 
honest setting incurs linear communication, and quadratic computational, complexity. 
Using Homer’s rule and balanced bucket allocation, the number of modular exponen- 
tiations can be reduced to 0(w log log v) exponentiations for the server and 0(w + v) 
exponentiations for the client. lll j NP()4l also gives constructions for a malicious client 
and semi-honest server. This protocol uses a cut-and-choose strategy, thus, the overhead 
is increased by a statistical security parameter. Also presented is a protocol secure in 
the presence of a malicious server and a semi-honest client in ROM. 

Kissner and Song IKS 051 propose OPE-based protocols for mutual PSI (as well as 
for additional set operations), and may involve more than two players. Protocols are 
secure in the standard model against semi-honest and also malicious adversaries. The 
former incurs quadratic ( 0(wv )) computation (but linear communication) overhead. 
The latter uses (expensive) generic zero-knowledge proofs to prevent parties from de- 
viating to the protocol. Later, Dachman-Soled, et al. IIDSMRY09I present an improved 
PSI construction, based on IIKS05I . Their construction incorporates a secret sharing of 
polynomial inputs. Since Shamir’s secret sharing llSha&4> implies Reed Solomon codes, 
they do not need generic zero-knowledge proofs. Complexity of their protocol amounts 
to 0(wk 2 log 2 (u)) in communication and 0(wvk log(u) + wk 2 log 2 (u)) in computa- 
tion, being k the security parameter. 

Another family of protocols rely on so-called Oblivious Pseudo-Random Functions 
(OPRF-s). An OPRF is a two-party protocol (between a sender and a receiver) that se- 
curely computes a pseudorandom function fk (•) on key k contributed by the sender and 
input x contributed by the receiver, such that the former learns nothing from the inter- 
action, and the latter learns only the value fk(x)- OPRF-based PSI-s work as follows: 
Server 5 holds a secret random key k. Then, for each Sj G S, S computes u 3 = fk(sj), 
and publishes (or sends the client) the set U = { u-\ . ■ ■ ■ , u w } . Then, C and S engage in 
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an OPRF computation of /fe(cj) for each Cj £ C (of size v), such that S learns nothing 
about C (except the size) and C learns fk(<k)- Finally, C obtains Cj £ C fl <S if and 
only if /^(ci) G U. The idea of using OPRFs for PSI protocols is due to Hazay and 
Lindell IHLOXI . who propose one solution with security against malicious adversaries 
with one-sided simulatability, and one - against covert adversaries II A 1 ,07 1. 

This protocol has been later improved by Jarecki and Liu IUL09II . who proposed 
a protocol secure in the standard model in the presence of both malicious parties, 
based on the Decisional q-Diffie-Hellman Inversion assumption, in the Common Ref- 
erence String (CRS) model, where a safe RSA modulus is generated by a trusted third 
party. Encryption operations are performed using an additively homomorphic encryp- 
tion scheme, such as Camenisch and Shoup IICS03I . As pointed out in IIJL09I . this ap- 
proach can be further optimized, based on the concurrent work in 1BCC+09I . Assuming 
such improved construction, llTL()9l incurs the following computational complexity: Let 
m be the number of bits needed to represent each set item; the server performs at least 
0(w ) PRF evaluations, i.e., both m-bit and group exponentiations, plus O(v') group ex- 
ponentiations, whereas, the client at least 0(v) m-bit exponentiations plus 0(v) group 
exponentiations. We discuss in details the complexity of this solution later in the paper. 
Finally, note that the proof in lTL09i requires the ability to exhaustively search over 
the input domain, i.e., the input domain size of the PRF should be polynomial in the 
security parameter. 

A recent result by Hazay and Nissim IIHNIOI presents an improved construction 
of OPE-based PSI based on IFNP04I . but without ROM. Specifically, it introduces 
zero-knowledge proofs that allow client to demonstrate that encrypted polynomials are 
correctly produced. Also, it uses a technique based on a perfectly hiding commitment 
scheme with an OPRF evaluation protocol to prevent the server from deviating from 
the protocol. The PSI protocol in IIHN10II incurs 0(v + in (log log v + to)) computa- 
tional and 0(v + w ■ to) communication complexity, where to is the number of bits 
needed to represent a set item. Note that execution of the underlying OPRF in IIHN 1 (I 
requires m oblivious transfer invocations, and hence 0(m) modular exponentiations, 
for each set item. However, such overhead can be avoided by instantiating the protocol 
in ROM. This protocol can be also optimized if the size of the intersection is allowed 
to be leaked to the server, in contrast to our strict privacy definitions (see Section mi) . 
Nonetheless, the resulting protocol is of sending 0(v + |<S D C\ ■ to) and computing 
0(v + w ■ log log v + |«S D C\ ■ to), which is still not linear. (Also recall that it is not 
clear how to enable convert the PSI construct of IIHN 1 Hi into APSI.) 

In another recent result, 111)1101 (Fig.4) presents an adaptive PSI protocol based on 
blind-RSA signatures lk"!lhaft3l . secure in the semi-honest model, under the One-More- 
RSA assumption IBNPS03I . in ROM. Specifically, during an initialization phase, the 
server generates RSA keys (N, e, d) and commits to its set, by publishing the hash of 
the RSA signature of each item. During the interaction, the client obtains blind-RSA 
signatures of its items from the server. Thus, the server needs to compute 0(w ) RSA 
signatures during the initialization phase, and O(v) online. Whereas, the client (assum- 
ing e = 3) only computes 0(v ) multiplications, thus making this construct particularly 
appealing for clients running on limited-resource devices. 
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fc>Tl(l (Fig. 3) includes another PSI secure in the presence of semi-honest adver- 
saries, under the One-More-Gap-DH assumption, in ROM. Common inputs are primes 
p, q (with q\p — 1, the order of a subgroup of Z*) and a generator of the subgroup, g. 
First, the client computes the accumulator PCH = n^Li (-ff(ci)) and sends X = 
PCH ■ g Rc for R c random in Z*. Also, for i = 1 ..... x, it computes PC Hi = 
PCH/H(ci) and sends x, = PC Hi ■ g Rc:i for R c:i in Z*. The server picks a ran- 
dom R s in Z*, sends Z = g Rs , and, for each x*, sends back x\ = x r Ra . Then, for 
j = 1 ..... w, it computes T s: j = H'((X/H(sj)) Rs ). Finally, the client computes 
T e: i = x’i ■ Z Rc ■ Z~ Rc i , and learns that Cj € C PI S if T c:i = T s: j. Computational com- 
plexity of this protocol is 0(w + v) and 0(v) exponentiations (with short exponents) 
for the server and client, respectively. 

2.2 Prior Work on APSI 

Authorized Private Set Intersection (APSI) is defined in liunn to extend PSI to support 
authorization of client inputs. Each client input must be authorized (via signing) by 
some trusted authority, e.g., a CA. Recall the third example in Section [I] to obtain 
information on a suspect from her employer, the FBI needs to be duly authorized. APSI 
represents an authorization using a digital signature. Note that authorizations obtained 
from the CA are private to the client and cannot be disclosed to the server. 

IIPTTOI shows that the PSI protocol in its Fig. 3 (reviewed at the end of Section I2~H 
can be instantiated in a RSA setting, where client input is a set of RSA signatures and 
the server obliviously verifies them by modifying the protocol as follows. The client C 
needs to obtain from the CA signatures oi = H (c, ) d (for input set C = {ci , . . . , c v }). C 
computes the accumulator PCH * = Yli=i a % ar| d sends X = PCH* ■ g Rc for random 
R c . Also, it computes PCH* = PCH* /oi and sends x, = PCH* ■ g Rc:i for random 
R c: i. The server picks a random R s , sends Z = g eR “, and, for each Xj, sends back 
x’i = Xi eR ‘ . Then, for j = 1, . . . , w, it computes T s: j = H'((X e /H(sj)) Rs ). Finally, 
the client computes T c:i = x\ ■ Z Rc ■ Z~ Rc i , and learns that e C n S if T c:i = T s: j. 
Asymptotic complexity of this solution is the same as that of the standard PSI presented 
above, i.e., 0(w + v) and 0(v) exponentiations for the server and client, respectively. 
(Although short exponents are replaced with “RSA” exponents.) The resulting protocol 
is secure in the semi-honest model, under the standard RSA assumption, in ROM. Note 
that the use of “authorized” client inputs seems to increase server privacy: under the 
RSA assumption, the client does not learn any information about server inputs, unless 
it holds a valid RSA signature. In other words, there appears to be a strong correlation 
between server privacy and client’s difficulty of forging signatures. 

A similar concept (adaptable to APSI) is Public-Key Encryption with Oblivious Key- 
word Search in 1CKRSQ9H- It proposes an Identity-based cryptosystem (inspired by 
PEKS in IBDOP04I ). where the client obtains authorized search trapdoors from a CA, 
and uses them to search over data encrypted by the server. The client learns only the 
information matching the authorized trapdoors, whereas, the server learns nothing. The 
protocol is secure in the presence of malicious adversaries in the standard model, under 
the Decision Bilinear Diffie-Hellman assumption IBF03I . It uses a modification of the 
Boyen- Waters IBE IIBW06I . Even without taking into account zero-knowledge proofs, 
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the server would compute 0(w) encryptions of llBW06l (each requiring 6 exponentia- 
tions and a representation of 6 group elements). The client would need to test each of 
the 0(w ) PEKS against its O(v) trapdoors, hence performing 0(w ■ v) decryptions. 

Finally, IICZ09H introduces another similar notion - Private Intersection of Certified 
Sets. This construct allows a trusted third party to ensure that all protocol inputs are 
valid and bound to each protocol participant. The proposed protocol is mutual (i.e., 
both parties receive the intersection) and builds upon oblivious polynomial evaluation 
and achieves quadratic computation and communication overhead. 

3 Preliminaries 

In this section, we present our cryptographic assumptions and tools, as well as security 
model. We introduce our notation in Table Q] 


Table 1 . Notation 


a<- r A 

variable a is chosen uniformly at random from set A 

K 

security parameter 

N = pq 

safe RSA modulus with at least K-bit security 

e, d, 

public and private exponents of RSA 

Zn/2 

1/2 of bit-size of N 

HO 

random oracle H : {0, 1}* — ► {0, 1} K 

HiO 

random oracle H ± : {0, 1}* -> G (G depends on the context) 

H2O 

random oracle : G X G X {0,1}* — ► {0, 1} K (G depends on the context) 

C,S 

client and server sets, respectively 


sizes of C and S, respectively 


indices of elements of C 




i-th and j-th elements of C and S, respectively 

hci , hsj 

Hi ( a ) and H± ( Sj ), respectively 

(Ti 

Hi ( Ci) d , RSA-signature on client item 


3.1 Cryptographic Assumptions 

Definition 1. Let & be a cyclic group and let g be its generator. Assume that the bit- 
length of the group size is l. The DDH problem is hard in G if for every efficient algo- 
rithm A the probability: 

|Pr[a:, y <— r {0,1}' : A(g, g x , g v , g xy ) = 1] - Pr[x, y, z <- r {0,1}' : A{g, g x , g y , g z ) = 1] | 
is a negligible function of k. 

Definition 2. Let RSA-Gen(l K ) be an algorithm that outputs so-called “safe RSA in- 
stances”, i.e. pairs (n, e) where n = pq, e is a small prime such that gcd(e, <j>(n)) = 1, 
and p,q are random K-bit primes subject to the constraint that p = 2p' + 1, q = 2q' + 1 
for prime //, q', p' f q' . The RSA problem is hard if, for every efficient algorithm A, the 
probability: 

Pr[(n, e) <- RSA-Gen(l*), z^K- A{n, e,z)=y s.t. y e = z (mod n)] 
is a negligible function of k. 


220 


E.D. Cristofaro, J. Kim, and G. Tsudik 


3.2 Tools 

In this section, we consider signature of knowledge of a discrete logarithm and equality 
of two discrete logarithms in a cyclic group G = (g). In particular, we consider G 
where either the order of G is known or the order of G is unknown but its bit-length 
l is publicly known. Fujisaki and Okamoto IIFQ97I show that (under the strong RSA 
assumption) standard proofs of knowledge that work in a group of known order are also 
proofs of knowledge in this setting. We define discrete logarithm of y £ G with respect 
to base g as any integer igZ such that y = g x in G. We assume a security parameter 
e > 1. 

Definition 3. (ZK ofDL over a known order group) Let y,g £ G of order q. A pair 
(c, s) £ {0, 1} K X Z q verifying c = H(y\\g\\g s y c \\m) is a signature of knowledge of 
the discrete logarithm ofy = g x w.r.t. base g, on message m £ {0, 1}*. 

Definition 4. (ZK of DL over an unknown order group) Let y, g £ G where the group 
order is unknown, but its bit-length is known as l bits. A pair (c, s ) £ {0, 1} K x 
±{0, i}«(*+«)+ 1 verifying c = H (y\\g\ \g s y c \\rn) is a signature of knowledge of the 
discrete logarithm ofy = g x w.r.t. base g, on message nn £ {0, 1}*. 

The player in possession of the secret x = log s y can compute the signature by choosing 
a random t £ Z q (or ±{0, l} e ( ; + K )) and then computing c and s as: c = H(y\\g\\g t \\m) 
and s = t — cx in Z q (or in Z). 

Definition 5. (ZKofEDL over a known order group) Let y\ : y-2,g, h £ G of order q. A 
pair (c, s) £ {0, 1} K x Z q verifying c = H(y 1 \\yf\\g\\h\\g s yl\\h s y^\\m) isasignature 
of knowledge of the discrete logarithm of both y\ = g x w.r.t. base g and y% = h x w.r.t. 
base h, on message m £ {0, 1}*. 

Definition 6. (ZK ofEDL over an unknown order group) Let y\ , y-2 , g, h £ G where 
the group order is unknown, but its bit-length is known as l bits. A pair ( c,s ) £ 
{0,1} K x ±{0, i}e(i+*)+t verifying c = H(yx\\y 2 \\g\\h\\g s yl\\h s yl\\rn) is a signa- 
ture of knowledge of the discrete logarithm of both y\ = g x w.r.t. base g and 1/2 = h x 
w.r.t. base h, on message m £ {0, 1}*. 

The player in possession of the secret x = log, ; y\ = log^ 2/2 can compute the signature 
by choosing a random t £ Z q (or ±{0, 1} £ (*+ K )) and then computing c and s as: c = 
ands = t-cx in Z q (orinZ). 

3.3 Security Model 

We assume a malicious adversary that behaves arbitrarily. Informally, a protocol is se- 
cure in this model if no adversary interacting in the real protocol (where no TTP exists) 
can learn any more from a real execution than from an execution that takes place in the 
ideal world. In other words, for any adversary that successfully attacks a real protocol, 
there exists a simulator that successfully attacks the same protocol in the ideal world. 

We now define ideal functionalities of PSI and APSI. In particular, in contrast to PSI, 
APSI employs an (off-line) CA with algorithms (KGen, Sign, Ver). The CA generates 
a key-pair ( sk,pk ) *— KGen, publishes its public key pk, and, on client input Cj, it 
issues a signature (Ji = Sign(sfc, c*) s.t. Ver (pk, &i,Ci) = 1. 
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Definition 7. The ideal functionality T APS i of an APSI protocol betw. server S on input 
S = {si, • • • , St,,} and client C on input C = {(ci, <Ti), • • • ,(c v ,a v )} is defined as: 

T aps , : (S,C) -> (±,S n {Ci I a e C a Ver (pk, a u a) = l}) 

where w, v are the public input to IFapsi- 

Definition 8. The ideal functionality H PS i of a PSI between server S on input S = 
{si, • ■ • , and client C on input C = {ci, ■ ■ ■ , c v } is defined as follows: 

F PSI : (S,C) ffeSnC} 
where w. v are the public input to JC PS( . 

4 APSI Protocol 

We now present our protocol for secure computation of authorized set intersection. 
We start from the APSI protocol of unmn (reviewed in Section E2>, secure in the 
semi-honest model. We describe a modified version that securely implements the j^ps, 
functionality in the malicious model, in ROM, under the RSA and DDH assumptions. 

The CA (trusted third party that authorizes client input) is realized with the following 
algorithms: 

- KGen: On input of security parameter n, this algorithm generates safe RSA mod- 
ulus N = pq where p = 2p' + 1, q = 2q' + 1 and picks a random element g, g' s.t. 
(—1) X ( g ) = (—1) X (g 1 ) = 7j* n . RSA exponents (e, d) are chosen in the standard 
way: e is a small prime and d = e -1 mod <p(N). The algorithm also fixes hash 
function Hi : {0, 1}* — > 1A N and H 2 : Z* N x Z* N x {0, 1}* — > {0, 1} K . The secret 
key is (p, q, d) and the public parameters are: N, e, g, g' , H\ (), 

- Sign: On input of c», this algorithm issues an authorization cr* = H\ (ci) d mod N. 

- Ver: On input of (uj, cf), this algorithm verifies whether afi = Hi (cj) mod N. 
The resulting protocol is presented in Figured 

Theorem 1. If RSA and DDH problems are hard, and n, tt 1 are zero-knowledge proofs, 
then the protocol in Figure\J\is a secure computation of T APS ,, in ROM. 

Proof. [Construction of an ideal world SIM s from a malicious real-world server S'*] 
The simulator SIM s is built as follows: 

- Setup: SIM. s executes KGen and publishes public parameters N, e, g. g' . 

- Hash queries to H\ and H-p. SIM s constructs two tables T\ = ( q , h q ) and T 2 = 
(( k , h' q . q'),t ) to answer, respectively, the H\ and H 2 queries. Specifically: 

• On query q to Hi, SIM. s checks if 3(q, h q ) G Tp. If so, it returns h q , otherwise 
it responds h q +- r Z* N , and stores ( q , h q ) to T). 

• On query ( k,h! q ,cf ) to H 2 , SIM s checks if 3 ((k,h' q ,q'),t) E T 2 : If so, it 
returns t, otherwise it responds t <— r (0, 1} K to H 2 , and stores ((k, h q , q'), t) 
to T 2 . 
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Common input: N,e,g,g', Hi () , H 2 () 1 

Server 

On input: S = {si, ■ • • , s„,} 

Client 

On input: C = {(ci, m), ■■ ■ ,(c„,cr„)} 


For i = 1, . . . ,v 

Rc-.i «• Zjq !2,bi,bi < — r {0,1} 

M i = (-l) b <-a i -g R ^ 

Ni = (-1)** ■ ha ■ ( g') R 
n = ZK{R c -.i,i = l,...,v\ 

< M^/N 2 = ( g e /g') 2Rc:i } 

If 7 r doesn’t verify, then abort 

R s <— r Z N / 2 

z = g 2eRa 

Mi = ( Mi) 2eR ‘ 

Ks:j =\hs]) 2R ° 

T s:j = H 2 (K s:j ,hs j ,s j ) 
n' = ZK{R s \Z = g 2eR % 
Vi, M- = (Mi) 2eRs } 

n' 


If 7r' doesn’t verify, then abort 

K c:i = Ml ■ Z~ R 

T c ,i = H 2 (K c ..i,ha,Ci) 

Output 

a e C n S if 3^ s.t. T c:i = T s;j 

All notations are from Table 1 and all computations are performed mod N. | 


Fig. 1 . Our APSI Protocol with linear complexity secure against malicious adversaries 


- Simulation of the real-world client C and the ideal- world server S: 

1. SIM s picks M- <- r Z* N , N' Z* N and computes Mi = (M') 2 , N % = (TV ') 2 
for each i = 1 , • • ■ , v. 

2. SIM. s sends { M % . Ni} i= i v and simulates the proof n. 

3. After getting (Z, {M[ }i=i,... )V , {T s: j}j= and interacting with S* as ver- 
ifier in the proof ir 1 , if the proof w' verifies, SIM s runs the extractor algorithm 
for R s . Otherwise, it aborts. 

(a) For each T s: j, SIM s checks if 3{q, h q ) £ 21 and 3((k, h! q , q'),t) £ T 2 , s.t. 
q = q\ h q = h' q ,k = (h q ) 2Rs and t = T s: j. If so, add q to <S; otherwise, 
add a dummy item into S. 

(b) Then SIM. s plays the role of the ideal- world server, which uses S to re- 
spond to ideal client C’s queries. 

Since the distribution of {Mi, TV,; }^ = i ,, sent by SIM s is identical to the distribution 

produced by the real client C and the n proof system is zero-knowledge, S*’s views when 
interacting with the real client C and with the simulator SIM s are indistinguishable. 
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[Output of (honest) real client C interacting with S'*] 

Now we consider the output of the honest real client C interacting with S*. By 
soundness of proof n', message Z and M- sent by S* is Z = g eRs and M( = (Mf eRs 
for i = 1, • • • , v. Then, C’s final output is a set containing all cf s, such that H 2 (M[ ■ 
Z~ Rc i , hci, Ci ) g {T s: j}. In other words, for each cj, C outputs a if 3 j s.t. • 

Z~ Rc i , hci, cf) = T S :j. Since H 2 is a random oracle, there are two possibilities: 

1. S* computes T s: j from H 2 ((hsj) 2Rs ,hsj, Sj) for Sj = Ci. Since SIM s described 
above extracts sj = c^ and adds sj in S, the ideal world C also output c* on its 
input Ci. 

2. S* did not query H 2 on ( M ' • Z~ Rc:i ,hci, cf but H 2 {M[ ■ Z~ RcA ,hci, cf hap- 
pens to be equal to T s: j . This event occurs with negligible probability bounded by 
v w 2~ K . 

Therefore, with probability 1 — v ■ w- 2 _K , the real-world client C interacting with S* 
and the ideal-world client C interacting with SIM s yield identical outputs. 

[Construction of an ideal world SI M c from a malicious real-world client C*] 

The simulator SIM C is formed as follows: 

- Setup and hash queries to Hi and H 2 : Same as Setup and Hi and H 2 responses 
described above in construction of SIM s . 

- Authorization queries: On input m, SIM C responds with ( m,a ) where a = 
(Hi(m)) d and stores (to, <t) to table T3. 

- Simulation of real-world server S and ideal- world client C: 

1. After getting {Mi, Nyfi-i ,,, and interacting with C* as verifier in the proof 
7 r, SIM C checks if proof 7r verifies. If not, it aborts. Otherwise, it runs the ex- 
tractor algorithm for {R c -.i} and computes ±(/iCj, of s.t. hci = o e . 

2. For each ±(hci,of: 

- h q ) G T\ s.t. h q = ±hci then add a dummy item (<5, og) to C where 
5 and 05 are randomly selected from the respective domain. 

- If 3(q, h q ) € Ti s.t. h q = ±hci, but $(m,o) € T 3 s.t. cr = ±Oi then 
output fail 1 and abort. 

- If 3(q, h q ) e Ti s.t. h q = ±hci and 3(m, cr) e T 3 s.t. 0 = ±(Xi, then add 
(q, ± 0 ) to the setC. 

3. SIM, plays the role of the client in the ideal-world. On input C = {(ci, of, ■ ■ ■ , 
( c v , o v )}, SIM C interacts with the ideal-world server S through the TTP. 

4. On getting intersection L = {c^, • • • , c| L |}, with \L\ < v from the ideal-world 
interaction, SIM C forms S= IT , • • • , c| L | , <5) , ■ • • , 6 ' w _^ +1 ^ , where S n s 
are dummy items and n is a permutation function. 

5. SIM C picks R s <— r Z N / 2 , and computes Z = g 2eR ° and M[ = (Mf 2eRs for 

i = 1 v. 

6. For each sj £ S: 

- If Sj g L, compute T s: j = H 2 ((hsj ) 2R ‘ , hsj,Sj). 

- If sj f L, compute T s: j <— r {0, 1} K . 

7. SIM C returns Z, to C* and simulates the proof if . 
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Claim 1. If event faili occurs with non-negligible probability, then C* can be used to 
break the RSA assumption. 

We describe the reduction algorithm using a modified simulator algorithm called 
Chi that takes an RSA challenge (IV 7 , e' , z ) as an input and tries to output 2 - f; . Chi 

follows the SIM C as described above, except: 

- Setup: On input (N',e',z), Chi sets N = N', e = e! and picks generator g, 
g' <— r h* N . (Note that random g in Z* N matches that chosen by a real key generation 
with probability about 1/2.) 

- Authorization queries: On input to, Chi responds with (m, cr) with <r «"f Z* N , 
assign Hi (to) = a e , and records (m, cr) to T3. 

- Hash queries to Hi : On query Hi on q, if $(q, h q ) G T) then Chi responds 
h q = z(r q ) e where r q <— r Zjv, and stores (q, r q . h q ) to Ti. (Since r q is uniformly 
distributed in Zjv, the distribution of h q is also uniformly distributed in Zjy.) 

Assume that faili occurs on ( hci,<Ji ). Then, Chi extracts entry ( q,r q ,h q ) G T) s.t. 
h q = hci and outputs (Ji/r q , which breaks the RSA assumption. 

Now unless the faili event occurs, the views interacting with the SIM C and with the 
real protocol are different only in the computation of T s: j for Sj G S but Sj £ L. Let 
faib be the event that C* queries Hi on (( hsj) 2R ‘ , hsj,sj) for sj G S and Sj £ L. 

Claim 2. If event faib occurs with non-negligible probability, then C* can be used to 
break the DDH assumption. 

We describe reduction algorithm Chi that takes a DDH challenge ( N f,a = f a 
(mod N'),/3 = f b (mod N'), 7) as input and outputs the DDH answer using C*. Chi 
follows the SIM C algorithm as we describe above, except that: 

- Setup: On input 7), CI12 sets N = N', g = f and picks generator 

g' <— r %* N and odd e <— r Z^v. 

- Authorization queries: Same as in C hi simulation. 

- Hash queries to Hi: On query q to Hi, if $(q, h q ) G Ti then C/i 2 responds with 
h q = /3g rq where r q <— r ^n/ 2> and records (q, r q , h q ) to Tt- (Since r q is random 
Zjv/ 2, the distribution of h q is computationally indistinguishable from the uniform 
distribution of Z'^.) 

- In computation for Z, {Mi}, {T s:j }: 

• C/12 sets Z = A 2e and computes M[ = j 2 {a) 2rq+2eRc - i for * = 1, . . . ,v 
(instead of picking R s and computing Z = g 2eR ‘ and M[ = (Mj ') 2eRa ). 

• For each Sj G S, if Sj G L, Ch-2 computes T s: j = H 2 (7 2 (a) 2r " , hsj , Sj ) . 
Given a = g a (= g Rs ) and P = g b , we replace g ab by 7 in the above simulation 
of Mi and T s: j. Thus, C*’s views when interacting with the real server S and with 
the simulator Ch 2 are indistinguishable under that DDH assumption. Assume that faib 
occurs, i.e., C* makes a query to Hi on {{hsj) 2R “ ,hsj,sj) for sj G S but Sj £ L. 
Chi checks if 3(q, r q , h q ) G Ti and 3 ((k,h q ,q'),t) G T 2 s.t. q = q', h q = h q , k = 
'y 2 (a) 2rq for each q G S but q p L. If so, C hi outputs True. Otherwise, Chi outputs 
False. Thus, the DDH assumption is broken. 

Therefore, since faili and faib events occur with negligible probability, C*’s view in 
the protocol with the real-world server S and in the interaction with SIM C is negligible. 
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[The output of honest real server S interacting with C*] 

Finally, the real-world S interacting with C* in the real protocol outputs _L and the 
ideal-world S interacting with SIM C gets _L. This ends proof of Theorem 1. 

Our APSI protocol differs from the one in 111)11011 in the following: 

- We modify inputs to the protocol and add efficient zero-knowledge proofs to prevent 
client and server from deviating from the protocol and to enable extraction of inputs. 

- We multiply client inputs by —1 to a random bit to: (1) ensure that they are uni- 
formly distributed in QRn, and (2) simplify reduction to the RSA problem. 

- We do not use “accumulated” values, such as PCH*, as they are not needed either 
for protocol security or for input extraction during simulation. 

5 PSI Protocol 

This section presents our protocol for secure computation of set intersection. It is a 
modified version of the PSI protocol of lIDTTTl (reviewed in Section 12. Ill , secure in 
the semi-honest model under the One-More-Gap-DH assumption (in ROM). We amend 
it to obtain a protocol that securely implements ^> S | in the malicious model under the 
DDH assumptions (in ROM). We assume that KGen generates p, q, g, g' , g" where p 
and q are primes, such that q\p — 1 and g, g' , g" are generators of Z*. 

The resulting protocol is presented in Figured 
Theorem 2. If the DDH problem is hard and i r, n' are zero-knowledge proofs, the pro- 
tocol in Fig uresis a secure computation of IF PSh in ROM. 

Proof. [Construction of an ideal world SIM s from malicious real-world server S'*] 
Simulator SIM, s is built as follows: 

- Setup: SIM. s executes KGen and publishes public parameters p, q. g, g', g" . 

- Queries II \ and ll 2 \ SIM., creates two tables T) = (q, h q ) and T 2 = ((k, h ' q , q') , t) 
to answer, respectively, Hi and H 2 queries. Specifically, 

• On query q to Hi, SIM s checks if 3(q, h q ) G Tj : If so, it returns h q , otherwise 
it responds h q <— r Z*, and stores (q, h q ) to T\. 

• On query ( k,h' q ,q ') to H 2 , SIM s checks if 3((fc, h' q . q').f) G T 2 : If so, it 
returns t, otherwise it responds t <— r {0, 1} K to H 2 , and stores ((k, h' q , q ' ) , t) 
to T 2 . 

- Simulation of real-world client C and ideal- world server S: 

1. SIM s picks X Z; and { M, , N t \ Af Z *,Ni Z;} (for i = 

2. SIM. s sends X, {Mi, Ni}i—i,...^ v and simulates proof n. 

3. After getting (Z, {M'} i=} qu , {T s:j } j=] , U! ), and interacting with S* as ver- 

ifier in proof w', if n' verifies, SIM, s runs the extractor algorithm for R s . Oth- 
erwise, it aborts. 

(a) For each T s: j, SIM s checks if 3(q, h q ) G Ti and 3((fe, h' q , q'),t) G T 2 , s.t. 
q = q’, h q = h’ q , k = (h q ) Rs and t = T s ,j. If so, add q to <S; otherwise, 
add a dummy item into S. 

(b) Then SIM s plays the role of the ideal- world server, which uses S to 
respond to ideal client C’s queries. 
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Common input: p, q, g, g' . g " , H\ (), HaQ 

Server Client 

On input: S = {si, ■ ■ ■ , s TO } On input: C — {piy • • , a} 

PCH = njU ha 
Rc r Z q 
X = PCH ■ {g) Rc 
For 1 < i < v 

PCHi=PCH/ha 

Rc:i * — r z q 
Mi = ha ■ ( g') Ro:i 
Ni = PCHi ■ ( g") Rc:i 
7r = ZK{R C , R c: i,i = !,■■■ , v | 
X/(MiNi) = g Rc /{g' ■ g") Rc:i } 

X,{Mi},{Ni},n 

If 7r doesn’t verify, then abort ** 

Rs * — r Z q 
Z = ( g') Rs 

For 1 < i < v 
M' = (Mi) Rs 

n' = ZK{R s \Z = (g') Rs , 

Vi, Mi = ( Mi ) R ‘ } 

For 1 < j < w 

K s:j = ( h Sj ) R ° 

Ts-.j = Hi {K s:j , hsj , Sj ) Z,{M[}, {T s:j } , tt' 

? If 7r' doesn’t verify, then abort 
For 1 < i < v 
K c:i = (Z) R ° * ■ Ml 
T c:i = H 2 (K Ci ,ha,Ci) 
OUTPUT: 

a e C n 5 if 3,, 3 s.t. fpt = T s ..j 

All notations are from Table 1 and all computations are performed mod p. 


Fig. 2. Our PSI Protocol with linear complexity secure against malicious adversaries 

Since the distribution of X, {Mi, sent by SIM s is identical to the distribu- 

tion produced by the real client C and the tt proof system is zero-knowledge, S* ’s views 
when interacting with real client C and with simulator SIM s are indistinguishable. 

[i Output of the honest real client C interacting with S'*] 

Now we consider output of honest real client C interacting with S*. By sound- 
ness of tt', message Z and M[ sent by S* is Z = {g') Rs and M[ = ( Mi) Rs 
for i = ,v. Then C’s final output is a set containing all c,;’s such that 

H2(M{Z~ Rc - i ,hci, Ci ) £ {T s -.j}- In other words, for each c,, C outputs Cj if 3 j s.t. 
H2{M{Z~ Rc:i , hot, Ci) = T s: j. Since Hi is a random oracle, there are two possibilities: 
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1. S* computes T s: j from H 2 ((hsj) 2Rs , hsj, Sj) for Sj = Ci. Since SIM s described 
above extracts Sj = and adds Sj in S, ideal world C also output c, on its input 

Cj . 

2. S* did not query H 2 on ( M-Z~ Rc:i ,hci , c,j but H 2 (M'Z~ Rc:i ,hci, cf) happens 
to be equal to T s: j. This event occurs with negligible probability bounded by 
v w- 2~ K . 

Therefore, with probability 1 — v ■ w ■ 2~ K , real-world client C interacting with S* and 
ideal- world client C interacting with SIM., produce identical output. 

[' Construction of ideal world SIM c from malicious real-world client C* ] 

Simulator SIM C is formed as follows: 

- Setup and hash queries to Hi and H 2 : Same as Setup and Hi and H 2 responses 
described above in construction of SIM, . 

- Simulation of real-world server S and ideal- world client C: 

1. After getting (X, {Mi}, {iVj}), and interacting with C* as verifier in proof 
7r, SIM C checks if n verifies. If not, it aborts. Otherwise, it runs the extractor 
algorithm for R c , {R c -.i} and computes hci,- ■ ■ , hc v . 

2. For each hci, if 3(q. h q ) £ Ti s.t. h q = he, then add q to the set C. Otherwise, 
add a dummy item to C. 

3. SIM C plays the role of the client in the ideal-world. On input C = {ci , • • ■ , c v } , 
SIM C interacts with the ideal- world server S through the TTP. 

4. On getting intersection L = {c^, • • • , c| L |}, with \L\ < v from the ideal-world 
interaction, SIM C forms S= n (^c \ , ■ ■ ■ , cj L | , <5j , ■ ■ ■ ,S' W _\ L \ + ^, where 5”s 
are dummy items and 77 is a permutation function. 

5. SIM C picks R s -— r Z q , and computes Z = g Rs and M- = for 

i=l,...,v 

6. For each sj £ S: 

• If Sj £ L, compute T s: j = H 2 ((hsj) R “ , hsj, Sj). 

• If Sj L, compute T s: j <— r {0, 1} K . 

7. SIM C returns Z, { M ■}, \T s: j} to C* and simulates proof ti'. 

Let fail be the event that C* queries H 2 on (( hsj ) Re , hsj, Sj) for s 3 £ S and Sj ^ L. 
Similar to the argument in the proof of Theorem 1 , if fa i I event does not occur, since the 
7r' is zero-knowledge, we argue that C*’s views in the real game with real-world server 
S and in the interaction with simulator SIM C constructed above are indistinguishable . 

Claim. If event fail occurs with non-negligible probability, then C* can be used to break 
the DDH assumption. 

We describe the reduction algorithm called Ch that takes a DDH problem (//, q', f, 
a = f a (mod p'),P = f b (mod p'), 7) as an input and tries to output the answer 
using C*. Ch follows the SIM C algorithm as we describe above, except that: 

- Setup: On input (p 1 ,q' , 7), Ch 2 sets p = p', q = q' , g' = / and picks 

generator g, g" <— r Z*. 

- Hash queries to Hi: On query q to Hi, if $(q, h q ) £ Tf then Ch 2 responds with 
h q = /3(g') rq where r q <— r Z q , and records (q, r q , h q ) to Ti. 
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- In computation for Z. {Ml}, {T s: j}: 

• Ch 2 sets Z = A and computes M- = C(A) r « +Rc A . 

• For each sj E S, if Sj E L, Ch 2 computes T a: j = H 2 {C{A) r '‘ , hsj,Sj). 

Using an argument similar to that in the proof of Theorem 1, C*’s views, when inter- 
acting with real server S and with simulator Ch 2 , are indistinguishable under the DDH 
assumption. Assume that fail occurs, i.e., C* makes a query to H 2 on ((hsj) Ra ,hsj,Sj) 
for Sj E S but Sj £ L. Ch checks if 3(q, r q ,h q ) £ 3\ and 3((fc, h ’ q , q'),t) € T 2 s.t. 
q = q 1 , h q = h' q , k = C{ A) Tr ‘ for each q s <S and q ^ L. If so, Ch outputs True. 
Otherwise, Ch 2 outputs False. Thus, Ch solves the DDH problem. 

Since fail occurs with negligible probability, C* ’s view in the protocol with the real- 
world server S and in interaction with SIM C is negligible. 

[i Output of honest real server S interacting with C*~\ 

Finally, real-world S interacting with C* in the real protocol outputs _L and ideal- 
world S interacting with SIM C gets _L. 

6 Protocols Efficiency 

In this section, we analyze the efficiency of our protocols and compare them to prior 
results. We summarize different features and estimated asymptotic complexities of prior 
work on Authorized Private Set Intersection and Private Set Intersection, respectively, 
as well as those of our protocols, in Table 0 and 0 Recall that we use w and v to denote 
the number of elements in the server and client input sets, respectively. Also, we specify 
whether they can support the extension for data transfer - a PSI variant introduced 
in IfljTTTl and discussed in details in the extended version of the paper liDKTTO l. 

Note that our APSI protocol (in Figure 0) is, to the best of our knowledge, the only 
such construct, secure in the malicious model, with linear communication and compu- 
tational complexity. 

Comparing our PSI [Fig. 0 to mm Our PSI protocol achieves the same (linear) 
asymptotic overhead as in prior work ifnm although, in ROM. However, the underly- 
ing cryptographic operations of iffTm hidden in the big 0() notation, are much more 
expensive than those in Figure0 as we discuss below. 

First, recall that, on average, each (/-bit multi-exponentiation mod p involves (1.5- \q\) 
multiplications of p-bit numbers. Whereas, each (/-bit fixed-based exponentiation mod 
p incurs only (0.5 • |g|) multiplications. From now on, we denote with m a modular 
multiplication ofp-bit numbers, and we assume \p\ = 1024. 

Observe that the PSI protocol in Figure0 in the malicious model, incurs the total cost 
of (240u<+960v)m. Due to space limitation, we refer to our extended version IIDKTHI 
for all the details of our estimation. 

In order to count the number of operations of mm we use the optimized OPRF 
construction due to IIBC.C+09H and we use standard non-interactive ZK in ROM. We 
select set items to be drawn from a 40-bit domain{] The total cost of ILIL09I . in the ma- 
licious model, amounts to (80w + 81320u) m. (Again, refer to IIDKTI (HI for the details). 

1 Recall that, in the proof of IJLU9I . there seems to be a trade-off between the input domain size 
and security loss, as the simulator needs to exhaustively search over the input domain. 
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Table 2. Comparison of Authorized Private Set Intersection protocols 


Protocol 

Standard 

Model 

Malicious 

Model 

Assumption 

Communication 

Complexity 

Server 

Client 

Data 

Transfer 

ICRR555I 

/ 

/ 

BDH 

0(w) 

0{w) enc’s 

ofiBwoe 

°ofEwraa C5 

/ 

ICZMI 

/ 

/ 

Strong 

RSA 

Of W + V) 

0(w ■ v) 

0(w ■ v) 

X 

Fig.2 of 

ifirrci 

X 

X 

RSA 

0{w + v) 

0(w + v) 

0(v) 

/ 

Our APSI 

X 

/ 

RSA 

0(w + v) 

0{w + v) 

0(v) 

/ 


Table 3. Comparison of Private Set Intersection protocols 


Protocol 

Standard 

Model 

Malicious 

Model 

Assumption 

Communication 

Complexity 

Server 

Client 

Data 

EEEH 

/ 

X 

Homom. 

Encr. 

0{ W + v) 

0(w log log v) 

0(w + v) 

/ 

IikS65iI 

/ 

/ 

Homom. 

Encr. 

0{ w + v) 

0(w ■ v) 
exps 

Olio • *) 

X 

nnrai 

/ 

/ 

Decisional 

q-DH, CRS 

0(w + v) 

0(« + t>) 

exps 

O(v) 

/ 

IHNIOI 

/ 

/ 

DDH 

0(w + v) 

0(w log log v) 

exps 

G(w + v) 

X 

Fig.3 of 

ffnn 

X 

X 

One-More 

Gap-DH 

0(w + v) 

0{w + v) 

exps 

0{v) 

/ 

Fig.4 of 

ffTRl 

X 

X 

One-More 

RSA 

0(w + v) 

0{w + v) 

exps 

0(v) 

/ 

Our PSI 

X 

/ 

DDH 

0(w + v) 

O(io + «) 

0{v) 

/ 


Selecting, for instance, w = v, protocol in Figure El would require as low as 1.5% 
of the total modular multiplications incurred by IUL09I (even with the optimized OPRF 
construction and using non-interactive ZK in ROM). Only when w/v » 500, IftLOQI 
incurs lower cost. Furthermore, recall that, although secure in the standard model, the 
PSI construct in iirrm when compared to ours, has three major drawbacks: (1) The 
size of set items should be polynomial in the security parameter, whereas, in our proto- 
col, items can be taken from {0, 1}*, (2) It requires Decisional q-DH assumption and 
Common Reference String (CRS) model, where a safe RSA modulus must be generated 
by a mutually trusted party, and (3) It is not clear how to convert it into APSI. 

We conclude that, though in ROM (as opposed to llJLOOl ). our PSI protocol signifi- 
cantly improves performance of prior PSI results, secure in the malicious model, while 
avoiding several restrictions. 

7 Conclusion 

In this paper, we presented PSI and APSI protocols secure in the malicious model un- 
der standard cryptographic assumptions, with linear communication and computational 
complexities. Proposed protocols offer better efficiency that prior work. In particular, 
our APSI protocol is the first technique to achieve linear computational complexity. Our 
efficiency claims are supported by detailed performance comparison. 
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Abstract. So far, all solutions proposed for authenticated key agreement 
combine key agreement and authentication into a single cryptographic 
protocol. However, in many important application scenarios, key agree- 
ment and entity authentication are clearly separated protocols. This fact 
enables efficient attacks on the nai've combination of these protocols. 

In this paper, we propose new compilers for two-party key agreement 
and authentication, which are provably secure in the standard Bellare- 
Rogaway model. The constructions are generic: key agreement is exe- 
cuted first and results (without intervention of the adversary) in a secret 
session key on both sides. This key (or a derived key) is handed over, 
together with a transcript of all key exchange messages, to the authen- 
tication protocol, where it is combined with the random challenge(s) 
exchanged during authentication. 

Keywords: authenticated key agreement, protocol compiler, TLS. 

1 Introduction 

Authenticated key agreement (AKE) is a basic building block in modern cryptog- 
raphy. Many secure protocols for two-party and group key agreement have been 
proposed, including generic compilers that transform simple key agreement pro- 
tocols into authenticated key agreement protocols, with many additional security 
properties. 

However, all known constructions (including e.g. the modular approach of 
ED and the Katz- Yung compiler j22j) result in a single cryptographic proto- 
col, whereas many security-critical real-world applications combine two or more 
clearly separated protocols: 

— (Client) Authentication and SSL/TLS. The most prominent example is 
SSL/TLS. Although server and browser can be authenticated in a provably 
secure way |20125j within a single cryptographic protocol (the TLS hand- 
shake protocol), nearly all known web applications authenticate the client 
through a different protocol on top of the TLS channel. The security of these 
protocols is based on the sole assumption that the (human) user is able to 

* The research leading to these results has received funding from the European Com- 
munity (FP7/2007-2013) under grant agreement number ICT-2007-216646 - Euro- 
pean Network of Excellence in Cryptology II (ECRYPT II). 

M. Abe (Ed.): ASIACRYPT 2010, LNCS 6477, pp. 232 ^2491 2010. 
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authenticate the server on the basis of security indicators of the browser, 
which was shown to be false in HZ! We do not rely on this assumption. In- 
stead, we regard SSL/TLS simply as a key agreement protocol, which cannot 
be changed due to the large number of implementations that are running 
worldwide. We may however change the authentication protocol, since the 
authentication protocol is often implemented in HTML / J avasciiptQ. 

— Browser based Single Sign-On (SSO). This scenario is perhaps the most 
complex one and a formalization is out of scope of this paper. However, it 
may serve as an illustration of how cryptographic protocols are combined 
today to implement key exchange (KE) and authentication functionalities. In 
SSO protocols, two key agreement protocols, and two different authentication 
protocols are combined to achieve the desired goal. Cryptographically secure 
SSO protocols have e.g. been described in HU- 

In this work, we present a new compiler that handles these scenarios. Moreover, 
we can use our compiler to combine existing authentication protocols in a novel 
way with key exchange protocols. This includes: 

— Zero-Knowledge Authentication. Zero-knowledge protocols have been 
developed with the goal to authenticate entities. However, in all known com- 
pilers, they cannot be combined with key agreement, except if they are trans- 
formed into digital signature schemes using the Fiat-Shamir heuristic. With 
our second compiler, ZK protocols can be used directly, which enables many 
interesting new protocols. 

— Privacy-preserving authentication. With our compiler, we can easily 
combine privacy-preserving authentication protocols like Direct Anonymous 
Attestation with different key agreement protocols. 

Man-in-the-middle Attack. Our real world attack scenario is as follows (cf. 
Figure [Q: the adversary E (”Eve”) acts as an active (wo) man-in-the-middle 
(MITM) between A and B during key exchange, and then acts as a passive ’’wire” 
during authentication. As a result, E has successfully authenticated as ”A” to- 
wards B, and as ”B” towards A, and shares (different) keys with A and B. 

To counter this attack, one could of course apply standard cryptographic 
primitives to turn the key exchange protocol into an authenticated key exchange 
protocol (AKE) JJ, but this is not possible in the cases cited above, because the 
implementation of the KE protocol cannot be changed , or the desired security 
goals (e.g. privacy) cannot be reached with standard compilers. Our compiler 
turns the combination of the two protocols into a provably secure AKE protocol. 
During compilation, only the authentication protocol is changed slightly. 

1 At first glance, it seems that the security of TLS as a key agreement protocol could 
easily be proven in the Bellare-Rogaway model, since we only have to consider passive 
adversaries, and the TLS ciphersuites includes e.g. ephemeral Diffie-Hellman key 
exchange. However, there are some subtle problems with the Reveal query and the 
fact that the final Finished message of the TLS handshake is already encrypted. 
Therefore it is still unclear if TLS fits in our theoretical framework. 
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Fig. 1. Attack Scenario: Real world man-in-the-middle attack (left), and unknown key 
share attack (right) 

Unknown Key Share (UKS) Attacks. To be able to prove the security in 
the standard Bellare-Rogaway (BR) model, the resulting AKE protocol must 
also be secure against unknown key share (UKS) attacks jl4U3j that do not 
directly lead to an attack in the real world, but invalidate security proofs in 
the model. Interestingly, in our scenario this is a kind of orthogonal attack to 
MITM attacks (cf. Figure QJ : The adversary acts as a man-in-the-middle on 
the authentication protocol. To achieve security against both (MITM and UKS) 
attacks, one usually needs two compilers: One compiler who adds authenticators 
to each message Hj. and one compiler who includes the complete state of the 
session into the computation of the session key m Our compilers achieve this 
in one step, because we force the adversary to prove knowledge of the session key 
k through the derived key dk during authentication. Thus the adversary cannot 
authenticate to A or B without knowing k, and neither A nor B will accept. 
Practical AKE protocols. If the two parties accept, they share a common 
state. This state consists of the secret key k, and the transcript of all messages 
sent and received. This transcript plays an important role in the BR model, since 
it defines the attack possibilities of the adversary. In practically relevant AKE 
protocols, a hash of this transcript is included in a final message secured with a 
MAC, to protect against MITM attacks. 

The A&KE Compilers. To protect against MITM attacks in our generic sce- 
nario, it is sufficient to simply include the transcript of the KE protocol into the 
authentication protocol. (Many authentication protocols offer the possibility to 
authenticate arbitrary strings chosen by A od B, e.g. authentication protocols 
based on digital signatures, or the MAP2 protocol from |2j.) Such a compiler 
protects against MITM attacks because (a) any modification of messages in the 
KE protocol automatically results in a modification of messages in the authen- 
tication protocol (since the transcript is included) , which results in an abort of 
the authentication protocol if this protocol is secure in the BR model. Thus (b) 
the adversary is restricted to a passive role when attacking the KE protocol, but 
this protocol is by definition secure against passive adversaries. 

Unfortunately, this simple compiler cannot be proven secure in the BR model, 
because the adversary also has access to the transcript of the protocol, and 
can use this in both instances of the authentication protocol (cf. right side of 
Fig. □) To avoid this attack, a secret value only known to A and B (i.e. the 
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session key k ) must be used in the authentication protocol in a generic way. 
There are at least two different methods (besides H3) how to achieve this: 

— An additional pair of messages can be sent after the KE and the authenti- 
cation protocol. These messages contain a cryptographic checksum over the 
transcripts of both protocols. This checksum is basically a MAC, computed 
over the transcript of both the KE and the authentication protocol, using 
a key K mac = PRF(fc, “MAC”) derived from the key k returned by the KE 
protocol and some pseudo-random function PRF. The actual session key K 
returned by the compiled protocol (i.e., the value returned by a Reveal or 
Test query in the BR model) is also derived from k as K = PRF(fc, “KE”). In 
Section El we describe the compiler for this in detail, and prove its security 
in the standard model. 

— Alternatively, we can modify a value that is present in all secure authentica- 
tion protocols, in such a way that it does not change the security properties 
of the protocol: 

In a generic authentication protocol, a random challenge ta guaranteeing the 
freshness of the message (s) must be sent from the challenger A to the prover 
B, which is answered with a response sb from B. Ideally, this challenge is 
chosen from a large message space with uniform distribution. 

We assume that ta is chosen uniformly from {0, 1}*, for some security 
parameter t. The answer sb ■= f{sks,rA ) is computed using the secret 
long-lived key sks of B, and the challenge r A - 

Our compiler changes the computation of sb slightly. Instead of using the 
challenge ta directly, we use a derived value r' A from the same distribution: 

r' A := H(K mac ,rA,transcriptKE), s' B := f(sk B ,r' A ), 
where H is some hash function modeled as a random oracle. Please note 
that r' A is never sent (cf. Figure EJ- but has to be computed by A and B. 
Thus the adversary E does not learn r' A . This construction does not alter 
the security properties of the authentication protocol. 

In Section 0J we give a security proof for this compiler in the random 
oracle model. 


1.1 Related Work 

In their seminal papers on two-party authenticated key agreement, Bellare 
et al. started a line of research that has expanded in two directions: group key 
agreement jOj, |KF22I1 ()] . and refined models to cover different types of attacks 
|1 1 l‘2.'-ir24| . All these models cover concurrent execution of the protocol, and at 
least corruption of non-related session keys. 

All models can roughly be classified in two groups: models that require a 
unique session ID before the start of the protocol, and models that construct 
this session ID. m is the prototype of the former case: proofs and definitions are 
easier, but it is unclear how a session ID can be defined for practical applications. 
(E.g. in case of an SSL man-in-the-middle, browser and server do not share any 
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common state.) Newer models like |21 or |21 thus avoid this assumption, and 
construct the session identifiers from the messages sent and received by the 
intended communication partners. 

Unknown key share |5j attacks do not threaten the real world security of 
cryptographic protocols, but invalidate security proofs in the formal models that 
follow |2| : If the adversary is able to force two protocol participants into accepting 
the same session key, but without a matching conversation, a Reveal query 
to one of the participants will help to win the Test game against the other 
participant. Choo, Boyd and Hitchcock have shown how to invalidate security 
proofs of various protocols in the different models fl'11131 . and how to fix the 
problem by including the whole session information in the computation of the 
session key EH- They were able to compare the relative strengths of the different 
models assuming that session identifiers are constructed as a concatenation of 
the exchanged messages. 

Canetti and Krawczyk in m consider a practically important protocol (IPSec 
IKE), which has a structure that places authentication after key exchange. Still, 
this is a single AKE protocol, and thus not comparable to our construction. In 
2008 Morissey et al. studied the security of the TLS key agreement protocol 
m and provided a modular and generic proof of security for the established 
application keys. 

Katz and Yung presented in m a first scalable compiler that transforms any 
passively secure group key-exchange protocol to an actively secure AKE. Their 
compiler adds one round and constant size (per user) to the original scheme, by 
appending an additional signature to each message of the protocol. 


1.2 Contribution 

In this paper, we describe two new compilers that allow us to combine key 
agreement protocols (which, in the BR model, need only be secure against passive 
adversaries) with arbitrary authentication protocols to form an authenticated 
key agreement (AKE) protocol in the sense of j2[ ■ 

These compilers enable us to formally prove the security of real world protocols 
in the BR model, which was not possible before. The most important case here 
is TLS with an authentication protocol on top of the TLS channel, which can 
be proven secure if the authentication protocol is secure in the BR model. This 
is possible since we consider TLS only as a key agreement protocol, and not as 
an AKE protocol, and it seems likely that the security of (some ciphersuites of) 
TLS against passive adversaries can be proven. 

Additionally, the compilers allow for a modular design of new AKE protocols, 
using existing protocols (e.g. TLS, IPSec IKE) or new ones (e.g. zero-knowledge 
authentication, group signatures). The formal security proof is simplified con- 
siderably, since the security of key agreement and authentication protocols can 
be proven separately, and our theorems yield the security of the combined 
protocol. 
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2 Preliminaries and Definitions 

In this section, we recall the syntax and security definitions of the building blocks 
for our protocol compilers. 

2.1 Digital Signature Schemes 

A digital signature scheme is a triple £ = (SIG. Gen, SIG. Sign, SIG.Vfy), consist- 
ing of a key generation algorithm ( sk,pk ) SIG.Gen(l K ) generating a (public) 
verification key pk and a secret signing key sk on input of security parameter 
k, signing algorithm a <— SIG.Sign(.sfc, m) generating a signature for message to, 
and verification algorithm SIG.Vfy (pk,m, a) returning 1, if it is a valid signature 
for to under key pk, and 0 otherwise. 

Consider the following security experiment played between a challenger C and 
an adversary A. 

1. The challenger generates a public/secret key pair ( sk,pk ) <— SIG.Gen(l K ), 
the adversary receives pk as input. 

2. The adversary may query arbitrary messages to* to the challenger. The chal- 
lenger replies each query with a signature a* = SIG.Sign(sfc, to,). Here i is 
an index, ranging between 1 < * < q for some polynomial q = q(n). Queries 
can be made adaptively. 

3. Eventually, the adversary outputs a message/signature pair (to, a). 

Definition 1. We say that £ is secure against existential forgeries under adap- 
tive chosen-message attacks (EUF-CMA), if 

Pr [(to, a) 4- A c (l K ,pk) : SIG.Vfy(pjfe, to, a) = 1 A m £ {mi, . . . , mj] < e. 

for all probabilistic polynomial-time (in k) adversaries A, where e = e(«) is some 
negligible function in the security parameter. 


2.2 Message Authentication Codes 

A message authentication code is an algorithm MAC. This algorithm implements 
a deterministic function w = MAC(A mac , to), taking as input a (symmetric) key 
K mac e {0, 1} K and a message to, and returning a string w. 

Consider the following security experiment played between a challenger C and 
an adversary A. 

1. The challenger samples K mac <— {0, 1} K uniformly random. 

2. The adversary may query arbitrary messages to* to the challenger. The chal- 
lenger replies each query with Wi = MAC(A mac , mf). Here i is an index, rang- 
ing between 1 < i < q for some polynomial q = g(«). Queries can be made 
adaptively. 

3. Eventually, the adversary outputs a pair ( m,w ). 
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Definition 2. We say that MAC is a secure message authentication code, if 

Pr [(to, w) 4- A c (l K ) : w = MAC (K mac ,m) A to ^ {toi, . . . ,m q } J < e 

/or all probabilistic polynomial-time (in k) adversaries A, where e = e(n) is some 
negligible function in the security parameter. 

2.3 Pseudo-random Functions 

A pseudo-random function is an algorithm PRF. This algorithm implements a 
deterministic function z = PRF(fc, x), taking as input a key k e {0, 1} K and some 
bit string x, and returning a string z G {0, l} r \ 

Consider the following security experiment played between a challenger C and 
an adversary A. 

1. The challenger samples k «— {0, 1} K uniformly random. 

2. The adversary may query arbitrary values % to the challenger. The chal- 
lenger replies each query with Zi = PRFffc. x,). Here i is an index, ranging 
between 1 < i < q for some polynomial q = q(n). Queries can be made 
adaptively. 

3. Eventually, the adversary outputs value x and a special symbol T. The 
challenger sets zo = PRF(fc, x) and samples z\ <— {0, 1} K uniformly random. 
Then it tosses a coin b <— {0,1}, and returns z h to the adversary. 

4. Finally, the adversary outputs a guess b' € {0, 1}. 

Definition 3. We say that PRF is a secure pseudo-random function, if 
|Pr [b = b'] — 1/2| < e 

for all probabilistic polynomial-time (in k) adversaries A, where e = e(«) is some 
negligible function in the security parameter. 

2.4 Key Exchange Protocols 

A (two-party) key-exchange protocol is a protocol executed among two parties 
A and B. At the end of the protocol, both A and B obtain the same key Kq as 
the output of the protocol. 

Definition 4. We say that a key-exchange protocol is passively-secure if for all 
polynomial-time adversary holds that \ Pr[6 = b'} — 1/2| < e for some negligible 
function e in the following experiment. 

1. A challenger generates the public parameters A of the protocol (e.g. a gen- 
erator describing a group etc.). 

2. The adversary receives A as input, and may query the challenger. To this 
end, it submits a symbol _L. Then, the challenger runs a protocol instance, 
and obtains the transcript T of all messages exchanged during the protocol 
and a key Kq. The challenger returns (T,K<f). 
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3. Eventually, the adversary outputs a special symbol T. Given T, the chal- 
lenger runs a protocol instance, obtaining the transcript T and key Kq, sam- 
ples K\ uniformly at random from the key space of the protocol, and tosses 
a fair coin b e {0, 1}. Then it returns ( T , Kb) to the adversary, 
f. The adversary may continue making T-queries to the challenger. 

5. Finally, adversary E outputs a bit b' . 

We say that the adversary wins the game, if b= b' . 

Simple protocols satisfying the above definition are the Diffie-Hellman protocol 
(under the DDH assumption), or key-transport using an IND-CPA secure en- 
cryption scheme (i.e., party A samples a random key k, encrypts k under B' s 
public key, and sends the ciphertext to B). 

2.5 Secure Authenticated Key Exchange 

While the security model for passively-secure key-exchange protocols is very 
simple, a more complex model is required to model the capabilities of active 
adversaries to define secure authenticated key-exchange. We must describe the 
subtleties of executions that we expect from the implementations of the protocol, 
the attacks against which our protocol should be secure, and which outcome we 
expect if we run the protocol with the defined adversary. In accordance with the 
fine of research [dl l I l‘24lTT!j initiated by Bellare and Rogaway Pj, we model our 
adversary by providing an “execution environment”, which emulates the real- 
world capabilities of an active adversary. That is, the adversary has full control 
over the communication network, thus may forward, alter, or drop any message 
sent by the participants, or insert new messages. 

Execution Model. Let I = I(k ) and S = S(k) be polynomials in the security 
parameter k. Our model is characterized by a collection of oracles 

W,i : i, j e |!il,s e [5]} 

An oracle nf j represents an entity i running the protocol with entity j for the 
s-th time. Each oracle maintains its own internal state (e.g. nonces), all oracles 
representing some entity i share the same long-term secrets of entity i. Moreover, 
each oracle Trf • maintains a variable T storing an ordered list of all messages 
sent and received by nfj so far. 

An oracle aborts, if it receives a message which is not valid according to the 
protocol specification, or terminates after it has sent or received the last protocol 
message according to the protocol specification. When a process terminates, it 
outputs “accept” or “reject” and (possibly) a key k. 

An adversary may interact with these oracles by issuing different types of 
queries. Before the first query is asked, long-term secret/public key pairs {ph, skf) 
for each entity i are generated. An adversary A receives as input the long-term 
public keys ( pk \ , . . . , pkf) of all parties, and may then ask the following query: 

— Sendfyfj, m): The adversary can use this query to send any message m of his 
own choice to oracle 7r fj. The oracle will respond according to the protocol 
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specification. If m = 0, where 0 denotes the empty string, then n • will 
respond with the first protocol message. 

Secure Authentication Protocols. An authentication protocol is a pro- 
tocol rim between two processes irfj and 7r*, ; of two parties Pj and Pj, where 
both processes output either “accept” or “reject” at the end of the protocol. We 
define correctness and security of an authentication protocol following the idea 
of matching conversations, as introduced by Bellare and Rogaway 0. 

In the following let T i s denote the transcript of all messages sent and received 
by process nfj. Intuitively, we would like to say that a protocol is correct, if a 
process nfj outputs “accept” if there exists a process 7rP with T hs = Tj t . 
Likewise, we would like to say that a protocol is secure, if a process accepts only 
if there exists a process 7rP with Tj iS = T ?>t . 

As in j2j , we face a minor technical obstacle here, which is inherent to authen- 
tication protocols. Suppose that Pj sends the last message of the protocol (thus, 
Pj has initiated the protocol run if the number of protocol rounds is even, or Pj 
has initiated the protocol if the number of rounds is odd). Party Pj does not get 
any response to its last message, thus has to accept without knowing whether 
Pj received the last message]! To overcome this obstacle, we let T- s be the tran- 
script Tj )S truncated by the last message, and we have to define correctness and 
security in a slightly more complicated way. 

Definition 5. We say that two processes nf j and 7rj i have matching conversa- 
tions, if either 

— Pj sends the last message of the protocol according to the protocol specification 
and it holds that T'j t = T- s , or 

— Pj sends the last message of the protocol according to the protocol specifica- 
tion and it holds that Tj >t = Pj. s . 

Definition 6. We say that an authentication protocol is correct, if for all pro- 
cesses irfj holds that 7rfj “accepts” if there exists a process 7fP such that nfj 
and 7 rP have matching conversations. 

Definition 7. We say that an authentication protocol is secure in the Bellare- 
Rogaway model, if for all probabilistic polynomial-time (PPT) adversaries A, 
interacting with the black-box O(II) as described above in the execution model, 
holds that: 

Each process of O(II) “accepts” only if there exists a process i rP such that 
7rf j and 7rj j have matching conversations, except for some negligible probability 
e = e(n) in the security parameter. 

Secure Authenticated Key- Exchange Protocols. An authenticated key- 
exchange protocol is an authentication protocol, where additionally both parties 

2 In contrast, a protocol can be designed such that the party receiving the last mes- 
sage accepts only if it has received this message correctly according to the protocol 
specification. 
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obtain a key k after accepting. Intuitively, we would like to say that a authenti- 
cated key-exchange protocol is secure, if 

— the protocol is a secure authentication protocol, and 

— an adversary can not distinguish a key k computed in a protocol run from 
a uniformly random value from the key space. This should hold even if the 
adversary is able to learn the key computed in other protocol instances. 

We formalize this by extending the execution model by two more type of queries, 
which may be asked by the adversary. 

— Test(7rfj): This query may only be asked once throughout the game. If pro- 
cess 7 vfj has not (yet) “accepted” , the black-box returns some failure symbol 
_L. Otherwise the black-box flips a fair coin b. If b = 0, a random element 
from the keyspace is returned. If b = 1 then the session key k computed in 
process nfj is returned. 

— Reveal ( 7 ^): The adversary may learn the encryption key K computed in 
process nfj by asking this type of query. The adversary submits 7rfj to the 
black-box. If process 7rf • has “accepted”, the black-box responds with the 
key k in process ttJG. Otherwise some failure symbol T is returned. 

Definition 8. Let A be a PPT adversary, interacting with the black-box O(II) 
described in the above execution model (denoted with A °i n > ). 

We say that an authenticated key-exchange protocol II is secure in the Bellare- 
Rogaway model, if 1.) II is a secure authentication protocol according to Defini- 
tion ^ and 2.) 



for all A. 


As Shoup pointed out in |23 §15], we do not have to explicitly model a Corrupt- 
query, as one can efficiently reduce the standard BR-Model to a model without 
Corrupt-queries (see also 0 p. 70 ff.]). 

3 Authenticated Key Exchange Compiler in the Standard 
Model 

Let us now describe our generic AKE compiler. The compiler takes as input the 
following building blocks (which have been defined in Section 0 . 

— A key-exchange protocol KE, 

— a digital signature scheme S = (SIG. Gen, SIG. Sign, SIG.Vfy), 

— a message authentication code MAC, 

— and a pseudorandom function PRF. 

The compiled protocol between two parties A and B proceeds as follows (see 
also Figure 0). 
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1 . A and B run the key exchange protocol. For instance, both parties may run 
the well-known Diffie-Hellman protocol M- Throughout this protocol run, 
both parties compute key k and record a transcript Xj^ E and T^, where t£ e 
consists of the list of all messages sent and received by party C e {A, B}. 

2. The key k computed by KE is used to derive two keys K = PRF(fc, “KE”) 
and K mac = PRF(fe, “MAC”), where “KE” and “MAC” are some arbitrary 
fixed constants such that “KE” yf “MAC” 0 

3. Then A samples a random nonce ta <— {0, 1} A and sends it to B, B samples 
tb {0, 1} A and sends it to A. 

4. Party A computes a signature a a SIG.Sign(sfc J 4 ,T 1 A ) under A’s secret key 

skA, where T A = (Xj^ E ||r/t||r^) i s the transcript of all messages sent and 
received by A so far. Then B computes a signature over the transcript Tf = 
C^keII'CaIM °f a U messages sent and received by B. Let T A = (ctaIWe) 
denote the signatures sent and received by A, and Tj-f = (o- b ||ctb) be the 
signatures sent and received by B. 

5. A sends a MAC t A = MAC(A' mac , T A | |0) over transcript T 2 A using the key 
K mac computed in 2. B replies with tn = MAC(A' mac ,T 2 B ||l). 

6. Party A accepts, if SIG.Vfy (pkB,T^,a^) = 1 and te = MAC(K mac ,T 2 A ||l), 
that is, if is a valid signature for T.f under B's verification key pks 
and if wb is a valid MAC under key K mac for T 2 ||1. B accepts if it holds 
that SIG.Vfy (pk A ,T^,a^) = 1 and w A = MAC(K mac ,T 2 B ||0). Finally, if both 
parties accept then the key K is returned. 

Observe that the signatures and MACs are verified using the internal transcripts 
of party A and B. The intention behind the idea of embedding the transcripts 
in the protocol is to detect any changes that an active adversary makes to the 
messages sent by A and B. Informally, in the two-layer authentication consisting 
of the signature scheme and MAC, the signature is used to authenticate users 
and thwart man-in-the-middle attacks on the key-exchange protocol, while the 
MAC is used as an implicit “key confirmation” step to avoid unknown key-share 
attacks jl 411 3| . 

This allows us to prove security requiring only pretty weak security properties 
from the utilized building blocks, namely we require that KE is secure against 
passive adversaries only, that the digital signatures are existential unforgeable 
under (non-adaptive) chosen-message attacks, and that the MAC and PRF meet 
their standard security notions. 

Remark 1. The digital signatures sent in the first round after running KE are 
merely a concrete instantiation of a tag-based authentication scheme as intro- 
duced in El.- It is possible to generalize the above protocol by replacing the 
digital signatures with a tag-based authentication scheme, without making sub- 
stantial changes to the protocol or the security proof given below. 

3 Note that we assume here implicitly, that the output key space of KE matches the 
input key space of PRF. This fact is not only important for correctness, but also for 
the security proof. 
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K := PRF(fc,^KE”) 
K mc := PRF (fc, “MAC”) 

accept if 

SIG.Vfy(pfcB <Tg ) = 1 
MAC(*r mac ,T 2 A ||“l”) = to£ 


AT ~ b pRF(fc,^KE”) 
ATmac := PRF(fc, “MAC”) 

record T B = (<7 B || CTJ3 ) 
:=MAC(Ff mac ,T 2 B ||“l”) 

accept if 

SIG.Vfy(pfe A ,T B , ! r B ) = l 
MACl-Amac, T B 1 1 “0”) = ru B 


Fig. 2. AKE Protocol 


3.1 Security Analysis 

Theorem 1. If the KE protocol, the signature scheme, the message authentica- 
tion code and the pseudo-random function are secure with respect to the defini- 
tions in Section 0 then the above protocol is a secure AKE protocol in the sense 
of Definition 0 

We prove the above theorem by two lemmas. Lemma 0 states that the AKE 
protocol meets property 1) of Definitional Lemma0states that it meets property 
2) of Definition 0 

Lemma 1. If the key exchange protocol (KE,), the signature scheme (SIG ), the 
message authentication code (MAC,) and the pseudo-random function (PRF,) are 
secure with respect to the definitions in Section 0 then the above protocol holds 
property 1) of Definition^ 

Proof. (Sketch) The proof proceeds in a sequence of games, following |3l28j . 
The first game is the real security experiment. By assumption there exists an 
adversary A that breaks the security of the above protocol. We then describe 
several intermediate games that step-wisely modify the original game. Next we 
show that in the final security game the adversary has only negligible advantage 
in breaking the security of the protocol. Finally we prove that (under the stated 
security assumptions) no adversary can distinguish any of these games Xi + 1 from 
its predecessor Xj. Let Xi be the event that A wins in Game i. In the following 
let negl(«) be some (unspecified) negligible function in the security parameter k. 

Game 0. This is the original security game with 6=1, that is, the adversary 
receives always the “real” key. By assumption A can distinguish K from a ran- 
dom key (i.e. correctly answer the Test(7rfj) query) when given access to the 
Send(7r|P, m) and Reveal(7rf j) oracles while A and B accept. 
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Game 1. This game proceeds exactly like the previous game, except that the 
simulator aborts if A or B accept and T-f 4 ^ Tf. 

Claim 0 We claim that 


l p r[^]j - p r[^j0j| < negl(K) 

by the EUF-CMA security of the digital signature scheme. The proof of this claim 
exploits that from A’s perspective the transcript T-f 4 is unique with overwhelming 
probability (due to the honest random choice of t'a) and from B’s perspective 
T/ 3 is unique for (honestly-chosen) rn with overwhelming probability. 

Game 2. This game proceeds exactly like the previous game, except that the 
simulator now chooses a uniformly random key k to derive K mac and K as 
K mac = PRF(fc, “MAC”) and K = PRF (jfc, “KE”). 

Claim 0 We claim that 


|Pr[Aa-Pr[^dl<negl(/*) 

by the security of KE against passive adversaries. In the proof we exploit that 
we must have T-f 4 = Tf if A or B accept, as otherwise we abort due to Game0 

Game 3. This game proceeds exactly like the previous game, except that the 
simulator now chooses a uniformly random key k (instead of K mac ) to compute 
wa and wb as wa = MAC(fc,T 2 ||0) and wb = MAC(fc,T 2 ||l). 

Claim 0 We claim that 


| p r[J^j - p r[^j| < negl(K) 

by the security of the pseudorandom function PRF. In the proof we exploit that 
we have exchanged the “real” key k computed in KE with a “random” key k in 
Game0 

Observe here that, since the output key space of KE must match the input 
key space of PRF, and PRF is assumed to be secure, it follows implicitly here 
that the output key space of KE needs to be super-polynomially large. 

Game 4- This game proceeds exactly like the previous game, except that the 
simulator aborts if A or B accepts and ^ T 2 B . 

Claim 0 We claim that 

| p r[A^ - p r[^j| < negl(K) 

Recall that in Game 0 we must have Tf 4 = T B due to our abort condition from 
Game 0 and that we have replaced the key k computed in KE with a uniformly 
random key k in Game 0 to compute the MACs in the considered protocol 
instance. Thus, if we have ^ T B , then the adversary must have forged a 
MAC to make A or B accept. We can therefore use the adversary to break the 
security of MAC. 
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Game 5. This game proceeds exactly like the previous game except that the 
simulator aborts if A or B accepts and T-f ^ Tf , where T-f = ( wa , w^) consists 
of the MACs sent and received by A and T[ J = (w^ . w n ) consists of the MACs 
sent and received by B. 

Claim 0 We have 

Pr[^ = Pr[Agj. 

This follows from the fact that we have defined MAC as a deterministic function, 
and we have = T/ 3 due to Game 0 and T 2 4 = T 2 B due to Game 01 

Collecting probabilities from Game 0 to 0 we obtain that both A and B 
accept only if they have matching conversations, except for some negligible 
error probability. 

Lemma 2. If KE, SIG, MAC and PRF are secure with respect to the definitions 
in Section 0 then the above protocol holds property 2) of Definition^ 

Proof. (Sketch). Again we proceed in a sequence of games. The first 5 games of 
the proof are identical to the sequence in the proof of Lemma 0 We merely add 
one further game. 

Game 6. This game proceeds exactly like the previous game except that the 
simulator now chooses K uniformly at random from the keyspace. 

Claim 0 We claim that 


|Pr[AB - Pr[W s ]| < negl(«). 

This again follows from the security of the PRF, where we use that the seed k is 
chosen uniformly random and independent (cf. Game 0) . 

In Game 6, the adversary receives a uniformly random key K . However, by 
collecting probabilities from Game0to 6 we obtain that Game 6 is (computation- 
ally) indistinguishable from Game 0 which proves indistinguishability of “real” 
from “random” keys. Thus, the protocol is secure in the sense of Definition 0 

4 An Alternative AKE Compiler for Practical Protocols 

Our second compiler is designed for practical applications, where we cannot 
change the session key K resulting from the KE protocol HU: or where we 
want to avoid an additional round of protocol messages after the authentication 
protocol. In this compiler, we directly integrate the transcript of the KE protocol, 
and the secret value K mac , into the authentication protocol. To do so, we first 
have to define a ’’generic” scheme for an authentication protocol. 

We only have minimal requirements on the authentication protocols. The 
party (’’challenger”) who wants to authenticate the other party (’’prover”) has 
to include a random value of high entropy into one of its protocol messages. 
(Otherwise an adversary may just query different instances of the prover for 
responses for the most probable challenges to increase her advantage.) The prover 
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Fig. 3. Scheme of a standard mutual authentication protocol P (left), and the version 
r' modified by our compiler (right) 

must answer with a value that was computed using his long-lived key sk, and 
the challenge itself. 

The following protocols fulfill our requirements: 

- AKEP1 and AKEP2 as defined in 0 

- Sigma- and Schnorr protocols (see |2Sj) 

- Zero-Knowledge Authentication protocols as introduced in [Zj 

- Zero-Knowledge Password-Proof protocols as introduced in 0 . 

- Signature based authentication protocols. 

In this respect, our compiler may even enhance the security of the authentication 
protocol. This applies to the authentication of both parties, or of one party only. 

Let P be an authentication protocol as depicted in Fig. E3 Then we denote 
by ta a value (the challenge) that is sent from A to B, and by sb = f(skn-, ?'a) 
the value (response) returned to A that allows A to check the authenticity of B. 
The values tb and sa are defined analogously. 

The main idea in the construction of a modified authentication protocol T l/ 
is to transmit ta and rn according to the protocol specification of P, but 
to compute the response based on both the received challenge, the transcript 
transcriptn of the key agreement protocol II, and secret value K mac . This is 
done using a random oracle H. Our compiler Comp, which takes as input a key 
agreement protocol II secure against passive adversaries, and a secure authenti- 
cation protocol r, outputs an authenticated key agreement protocol Comp(II, P) 
which works as follows: 

A&KE-2 Compiler: Let (Pab>7ab) and (ttbA)7ba) be two pairs of ora- 
cles for II and P. 

1. II is executed by n s A n and a without any change. The resulting secret 
value is k = (K,K mac ) for n A n , and k! = (K',K' mac ) for i t b A . (Ideally 
k = k', but we have to take into account actions by the adversary.) The 
session key K ( K resp.) is used for encryption and integrity protection, 
and the secret value K mac (K' mac , resp.) is sent locally to the processes y A B 
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and 7 B A , together with the local transcript of the messages of 17. (The 
values K and K ma c are computed as described in Section [3) 

2. Now r is executed by 7 S AB and Jg a with the following change: In 
the computation of .5,4 and sb , the values r A and rg are replaced with 
t' a '■= H(K mac ,rB,transcriptn ) and r B := H(K' mac , r A , transcript' n ), and 
thus we get s' A = f(skA,r A ) and s' B = f{skB,r' B ), where is a 

random oracle. If p /S A B accepts, the local output is K, and K' for j B A . 

Lemma 3. If 17 is a key agreement protocol secure against passive adversaries, 
then it is impossible that three different oracles accept with the same (secret) 
state (k, transcript n), where k = (K,K mac ) is the secret value computed by II, 
and transcriptn is the transcript of all protocol messages. 

Proof. If this was the case, then A, B and the (active) adversary E all would 
be able to compute k, but the adversary would not have modified any message 
exchanged between A and B (since the transcripts are identical). Thus E, acting 
as a passive adversary, would be able to compute k, a contradiction. 

Lemma 4. In Comp(II,r), any two oracles 7 AB and J BA with match- 
ing conversations have access to a unique random oracle that is defined as 
'ktA t B“ (■) := H(K mac , ■, transcript n) ■ Neither E, nor any other oracle has access 
to this random oracle. 

Proof. Since the pair (K mac , transcript n) is unique for any pair of oracles, 
klA t B s { ■) is unique, too. 

Theorem 2. If T is a secure authentication protocol, then r' as defined in Fig. 
0 also is a secure authentication protocol. 

Proof. Let 7 ,S AB anf l l' b A i )e two process (oracle) instances of A and B in 
r' . It should be clear that if 7 ' S A B an< l 7 ' b a have matching conversations, 
then both oracles will accept. 

We have to show that the probability that 7'^ B or 7 ; b , a accepts without 
a matching conversation is negligible. Now assume on the contrary that there 
is an adversary E' that is able to make 7 ,S A B or 7 ' B A accept without a 
matching conversation, with non-negligible probability e. Then we can define an 
adversary E that achieves the same goal with the protocol P : Since E' has no 
access to the random oracle Hab, she can only try to guess the challenge r' A (r ' B , 
resp.). Now E is simply ignoring the challenge rx she sees, and simply guesses a 
random challenge r'f, and tries to compute s' Y from this challenge. This strategy 
succeeds with non-negligible probability e, and we have thus contradicted our 
assumption that T is a secure authentication protocol. 

Theorem 3. If 77 is a key agreement protocol secure against passive adver- 
saries, and if r is a secure authentication protocol, then Cornp(II. T) is a secure 
authenticated key agreement protocol. 
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Proof (Sketch). 7 S A B and j B A will accept in r' if and only if they have access 
to the same random oracle (•)• (Otherwise they have to guess the challenge 

r' x , which succeeds only with negligible probability.) If they have access to the 
same random oracle, then n s A B and A completed II with the same state 
(k, transcript n)- If 7 S AB an< l 7 ba accept, 17 and r were both completed 
by the same endpoints A and B. This excludes active attacks on II (since the 
transcript is unchanged), and UKS attacks on r. Thus E may only mount a 
passive attack on II, which succeeds only with negligible probability. 
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Abstract. In this article, we study an interesting and very practical 
key management problem. A server shares a symmetric key with a client, 
whose memory is limited to R key registers. The client would like to send 
private messages using each time a new key derived from the original 
shared secret and identified with a public string sent together with the 
message. The server can only process N computations in order to retrieve 
the derived key corresponding to a given message. Finally, the algorithm 
must be forward-secure on the client side: even if the entire memory of 
the client has leaked, it should be impossible for an attacker to retrieve 
previously used communication keys. Given N and R , the total amount 
T of keys the system can handle should be as big as possible. 

In practice such a forward-secure symmetric-key derivation protocol 
is very relevant, in particular in the payment industry where the clients 
are memory-constraint paying terminals and where distributing symmet- 
ric keys on field is a costly process. At the present time, one standard 
is widely deployed: the Derive Unique Key Per Transaction (DUKPT) 
scheme defined in ANSI X9.24. However, this algorithm is complicated 
to apprehend, not scalable and offers poor performances. 

We provide here a new construction, Optimal-DUKPT (or O-DUKPT), 
that is not only simpler and more scalable, but also more efficient both in 
terms of client memory requirements and server computations when the 
total number of keys T is fixed. Finally, we also prove that our algorithm 
is optimal in regards to the client memory R / server computations N / 
number of keys T the system can handle. 

keywords: key management, key derivation, DUKPT, forward-security. 


1 Introduction 

In information security, one of the most complicated part related to practical 
cryptography is the key management. Many different scenarios can exist and a 
different method is often required for each of them. The banking industry is well 
used to face strong constraints regarding key management. The financial trans- 
actions are processed in the paying terminal that reads the user magnetic card or 
chip card data. In order to validate the PIN input from the user, protocols based 
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on symmetric-key cryptography fblfij are usually implemented. Also, because of 
the recent devastating attacks on back-office payment servers, the industry found 
strong incentives in protecting as well the user card data that is sent to the bank. 
Leading solutions jlUI4j , deploying format-preserving encryption, are also based 
on symmetric-key cryptography. 

Of course, the symmetric key shared between the terminal and the bank must 
be securely distributed beforehand. In most cases, this is done by manually 
injecting the terminals with the key in a secure room. Clearly, such a process is 
costly for the stakeholders and can not be done frequently. For that reason, the 
symmetric keys stored in the terminal are static and not often changed. 

Recently, the industry has seen the rising of side-channel attacks jXlblidj . 
practical and devastating methods that aims at recovering the secret key inside 
cryptographic modules by analyzing unusual information channels such as com- 
putation time, power consumption, electromagnetic emission, etc. As the paying 
terminals environment can not be considered as secure, side-channels attacks 
have to be taken in account seriously. For this reason, the banking industry 
has actively promoted an improved and more secure key management protocol: 
Derive Unique Key Per Transaction (DUKPT), defined in ANSI X9.24 [JJ. 

The idea of DUKPT is to derive from the originally shared key a unique key 
per transaction. This feature greatly reduces the applicability of side-channel at- 
tacks, for which many measurement traces of encryption processes with the same 
symmetric key must be obtained. Moreover, this method is done is a forward- 
secure way on the client side (the servers are considered as located in a secure 
environment): if the internal state of the client is recovered, the attacker can not 
retrieve any of the transaction keys previously used. The algorithm can handle 
up to one million derived keys, which seems a reasonable upper bound for the 
number of transactions performed during a paying terminal life-cycle. Thus, the 
costly key injection process only has to be performed once. 

DUKPT is standardized and now widely deployed in a majority of payment 
solutions. However, this protocol consumes a lot of memory in the devices, which 
are strongly memory-constraints. This is particularly problematic when a ter- 
minal has to be able to communicate with several distinct servers, and thus to 
handle many DUKPT instances at the same time. Moreover, DUKPT can also 
cause troubles on the server side, since it is costly in terms of computations 
required to retrieve the transaction key. Of course, this issue is even worsen by 
the fact that the server receives many financial transactions at the same time. 

Our Contribution. In this article, we propose an improvement over the DUKPT 
technique described in ANSI X9.24 [2j . Our forward-secure symmetric-key deriva- 
tion protocol offers scalability, simplicity and memory/computations performance 
gains. Yet the problem we study here is more general than just the sole case of 
paying terminals in the banking industry: memory-constraint clients that want 
to share with a computation-limited server unique symmetric keys per message 
sent in a forward-secure way. After having described our new proposal O-DUKPT, 
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we show that it is optimal in terms of client’s memory requirements R / server 
computations N / number of keys T handled by the construction. Note that we 
restrict ourselves to using symmetric-key cryptography only. For forward-secure 
encryption schemes using public-key, see for example 0 . 

2 State-of-the-Art 

2.1 Goals and Constraints 

Derive Unique Key Per Transaction (DUKPT, see 0) is a symmetric-key deriva- 
tion scheme that offers several nice security properties for the payment industry 
scenarios (or any asymmetric situation where one server securely communicates 
with many memory-constrained clients). First, the symmetric keys used for each 
payment transaction are distinct. Moreover, a forward-security feature is in- 
corporated: if the internal state of the paying terminal is entirely or partially 
compromised by any means, no useful information on the keys derived in previ- 
ously processed transactions can be retrieved thanks to this leakage. Usually, the 
DUKPT scheme is utilized for the derivation of symmetric keys ciphering PIN 
blocks (for user authentication), or more recently for deriving symmetric keys 
that encrypts sensitive banking data such as Personal Account Number (PAN), 
expiration date, etc. 

In practice, we have one server S that communicates with many paying ter- 
minals and each of these clients Ci must first share a symmetric key with S. 
For obvious security reasons, two clients can not share the same key with the 
server (except by chance). This constraint could lead to memory problems for S 
if it has to deal with many clients. The issue is avoided by starting from a Base 
Derivation Key ( BDK ), directly available to S. The fc-bit key shared between 
a client Ci and the server S is denoted IKi (for Initial Key) and is derived from 
the BDK as follows: 


IKi = F(BDK,i) 

where F : {0, 1}* i — * {0, l} fc is a pseudo-random function. We give in Appendix 
A how F is obtained in practice. Thus, the system is initialized by giving BDK 
to the server, and IKi to each client C,- . This key distribution is not in the scope of 
this article, but in general it is done on the client side with manual key injection 
in secure room or with remote key injection using public-key cryptography. Note 
that when a transaction is sent from the client to the server, the identity of the 
client Ci has to be sent as well, so the server can appropriately derive the key 
originally shared IKi. The initialization process is depicted in Figure [T] The 
problem studied in this paper can be directly reduced to the case of a single 
client. Therefore, from now on, we will only consider two entities: a server S and 
a client C that initially share a key IK. 

We would like to derive the unique transaction keys in a forward-secure way, 
using only the function F as a black-box. There is a very natural and inefficient 
way of achieving this: the client C maintains an internal state of one key, initial- 
ized with IK. The internal state after having processed the j - th transaction is 
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Fig. 1. Server and clients initialization 



denoted Sj and we have So = IK. Then, the key used for transaction j is sim- 
ply the key stored in the internal state, Sj- 1 , and we update the internal state 
with Sj = F(Sj-i,j). At each transaction, the client sends the value j so that 
the server can understand which key is shared for this transaction. It is clear 
that each key derived will be unique (except by chance) and that we have the 
forward-security property: F is a non-invertible process, so one can not obtain 
any information on the previous keys by recovering the internal state. However, 
it is also clear that this will be very inefficient on the server side. If one would 
like to handle say 1 million transactions, the server may have to go through one 
million computations of F to obtain the key in the worst case. 

The idea of ANSI X9.24 DUKPT is to allow for the client to store more 
data than just one key, so as to lower the computation cost on the server side. 
More precisely, DUKPT allows the client to store R = 21 key registers and the 
server to compute F at maximum TV = 10 times for one key derivation (except 
IKi = F(BDK, i)). Overall, a total of T = 1048575 transactions can be handled. 

In this paper we will show that DUKPT is not optimal when studying the fol- 
lowing problem: given at maximum R key storage registers in one client C and N 
computations of F on the server S for one key derivation, what is the maximum 
number T of distinct keys the system can handle while ensuring the forward- 
security property if all the secret information contained in C is compromised? 
We provide an optimal algorithm, named Optimal-D UKPT (or O-DUKPT) that 
can handle up to T = ( N ^ R ) — 1 derived keys. For example, with the original pa- 
rameters of DUKPT, R = 21 and N = 10, we are able to generate T = 44352164 
keys. Otherwise, if the goal is to be able to derive about one million keys, one can 
use our solution with only R = 13 key registers. Our solution is not only more 
attractive in terms of memory and computations, but it is also much simpler to 
apprehend and to implement. Finally, Optimal-DUKPT is completely scalable 
and depending on the expected/desired memory/computation constraints of the 
system, it offers very valuable tradeoffs for practical applications. 

2.2 ANSI X9.24 DUKPT Description 

For completeness and future comparison, we provide in this section a descrip- 
tion of the original DUKPT algorithm as defined in the ANSI X9. 24-2009 docu- 
ment IZj. We assume that the shared symmetric key IK has been securely given 
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to the client and the server. We define hw(x ) as the hamming weight of the word 
x. The base 2 representation is denoted (-fy, i.e. 13 in base 2 is written (1101)2, 
the most significant bit being located on the left. Also, for x ^ 0, we define y = x 
to be the value of x with the least significant “1” bit set to zero. For example, 
if x = (10110)2 we have y = x= (10100) 2 and y = (10000) 2 . 

In order to identify the key derived, for each transaction a 21-bit counter tc 
is sent from the client to the server. Then, for transaction j, the counter value 
tc = j is sent and the key identified by j is used. The initial key IK is considered 
as a key identified by j = 0. DUKPT intrinsically defines a hierarchy between 
the keys: each key used for transaction j 7^ 0 is the daughter of the key identified 
by j (by A is the daughter of B, we mean that A is directly derived from B with 
F). For example, the key identified by j = (0. . .010000)2 has four daughters 
identified by j\ = (0. . .010001)2, ji = (0. . .010010)2, J3 = (0. . .010100)2 and 
j'4 = (0. . .011000)2, since j = ji = j -2 = js = J4. More precisely, we have 

Kj = F(Kj,j). 

Before describing the process on the client and server side, one may ask why a 
21-bit counter is needed (20 bits would suffice). The reason is that not all values 
of the counter and the corresponding keys will be used. Indeed, only the counter 
values with a non-zero hamming weight lower or equal to 10 will be considered 
and one can aim for a total key amount of 

T = = 2 20 - 1 = 1048575. 

On the Server Side. S receives the 21-bit transaction counter tc. The server 
will derive the transaction key with only hw(tc ) computations of F (since we 
forced hw(tc) < 10, we do have the property that at maximum N = 10 com- 
putations of F are required). First, S deduces the bit position pi of the most 
significant “1” bit of tc and computes Ctemp = 2 Pl and K temp = F(IK, c ternp ). 
Then, the server deduces the bit position P 2 of the second most significant “1” 
bit of tc and computes c teTOp = ct em p + 2 P2 and K temp = F(K ternp . c te mp)- One 
continues until all the hw(tc) “1” bits of tc have been processed. Then, the final 
key stored in K temp is the shared key for this transaction. One can see that the 
server derivation simply consists in following the key hierarchy starting from IK 
and ending to K tc . For example, if tc = (0 . . . 011010)2, the server first computes 
Ktemp = F(IK, { 0. . .010000)2), then K temp = F(K temp ,( 0. . .011000) 2 ) and 
finally K temp = F(K temp , (0. . .011010) 2 ). 

On the Client Side. The derivation on the client side is a little bit more 
complicated. First, the client is initialized as follows: each register r is filled with 
the value F(IK, 2 r_1 ) with r € {1, . . . , R}, i.e. each register r is filled with K^-i. 
Then, IK is erased from the client’s memory. One can note that those R = 21 
keys are in fact the mothers of all future keys. For the first transaction, the key 
corresponding to tc = 1 is located in the first register (since the key stored in 
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Table 1. Chronological accesses to the key registers on the client side for DUKPT. A 
value * in a cell means that the key AT, is derived and stored in the corresponding column 
register at the corresponding row iteration. An “X” means that for this transaction the 
client used the key located in the corresponding register and then erased its contents. 



this register is K\ = F(IK, 1)). Once the transaction completed, the content of 
this register is erased in order to preserve the forward-secrecy: only IK is the 
mother of K\ and it has already been erased. Note that one can freely erase 
K i because it has no daughter, so one does not lose any important information 
for later derivation. Then, when tc = 2, one uses the content from register 2 
as transaction key. However, since K<i is the mother of K 3 , before erasing it, 
one derives K 3 = F(K2,3) and stores this key in register 1. One continues this 
process until all registers contain no more information. 

To summarize, for a transaction j, the client picks and uses the key Kj located 
in register r, where r is the bit position of the least significant “1” bit of j. Then, 
before erasing Kj from its memory, the client derives and stores all the r — 1 
direct daughters of Kj in the r — 1 least significant registers. The forward-secrecy 
is always maintained since after a transaction key have been used, it is always 
ensured that this key and its mother (or (grand) *-mothers) will no more be 
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present in the client’s memory. Also, remember that all counter values with 
hamming weight strictly greater than 10 are skipped. We give in Table Q] an 
illustration of the chronological accesses to the key registers. 

3 A New Proposal: O-DUKPT 

3.1 General Idea 

Our underlying idea for improving DUKPT can be understood with the following 
simple observation: for the very first transaction tc= 1 of DUKPT, the key K\ 
located in the first register is used and directly erased. Note that this key has no 
daughter in the key hierarchy and that its mother is IK (it is at distance 1 from 
the IK). Said in other words, the server can retrieve K \ from IK with only one 
computation of F. Instead of erasing K\ directly and since we are yet far from 
reaching 10 computations of F on the server side, we could have derived another 
key from K\ and placed it in this first register. Continuing this idea, we could 
have generated 9 more keys only with the first register. 

Now, this can be generalized to the other registers as well. Once the first 
register contains a key located at a distance of 10 from the IK , we can not derive 
it anymore. Then, we have to utilize the key located in the second register, but 
before erasing it from the client’s memory, we can derive from it two new keys 
that we will place in the first and second registers. Those two new keys are at 
distance 2 from the IK. Again, we can derive many keys only using the first 
register, but one less than before since we started from a key at distance 2 (and 
not 1) from the IK. This idea is finally iterated to all the registers. 


3.2 Description 

In order to preserve the scalability of the algorithm, Optimal-DUKPT will be 
defined as a family of key management schemes. Each member of the family is 
identified by the amount R of key registers available on the client side and the 
number N of maximum computations required to derive one key on the server 
side. Moreover, we will show later that each member can handle a maximum 
number of keys T = ( R ^f N ) — 1. 

As for the original DUKPT, we assume that the shared symmetric key IK 
has been securely given to the client and the server. In order to identify the 
key derived, for each transaction a public string st is sent from the client to the 
server. This string is composed of R integers st%, with 1 < st* < N for 1 < i < R. 
An integer st* represents the distance from IK of the key stored in register i of 
the client’s memory before processing the transaction. For example, the string 
sent for the very first transaction is 1 ... 1 1, for the second one 1 ... 1 2, etc. 

On the Client Side. The client maintains two tables. First, the classical 
R key registers, denoted Ri for 1 < i < R. They are simply initialized with 
Ri = F(IK. 0 R , i) and once this process is over, the IK is erased from the 
client’s memory. Secondly, the client maintains a table D of R integers that 
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we denote Dj, where Dj represents the distance from IK of the key stored in 
register Ri. The content of D is exactly what is sent to the server in the string 
st. Naturally, it is initialized with Dj = 1 for 1 < i < R. 

When requested to process a new transaction, the client builds st = D and 
looks for the least significant register having a corresponding distance Dj strictly 
smaller than N + 1. This register, that we denote R p , contains the transaction 
key TK that will be used. Then, once the transaction over, 

• If D p < N (i.e. more keys can be derived from TK), the client updates the p 
registers R p , R p -i, . . ., R\ with R t = F(TK, D, i) and updates the distance 
table with Dj = D p + 1 with 1 < i < p. 

• Otherwise, if D p = N (i.e. TK does not have any daughter), the client simply 
erases the content of register R p and updates D p = D p + 1 = N + 1. 

Note that in the key derivation process, the data used as input of F is always 
unique. Indeed, D will be different for each transaction. This guarantees the 
security of the system. The forward-secrecy is always maintained since after 
a transaction key has been used, it is always ensured that this key (and its 
predecessors) will no more be present in the client’s memory. We give an example 
of the clients internal state evolution in Table [2| or an alternate tree view in 
Figure H 



Fig. 2. Tree view of the client side key derivation example from Table |3 with system 
parameters N = 3 and R = 3. We denote TKj the key used for the j - th iteration, and 
the Ri aside the circles represent the register in which each key TKi is stored during 
the process. 
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Table 2. Example of key registers and distance tables evolution on the client side, 
with system parameters N == 3 and R = 3. We denote T K t the key used for the i-th 
iteration. An “X” in the key registers evolution columns means that the client erases 
the contents from this register. 
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On the Server Side. The server receives a string st that corresponds to the 
table D of the client before processing the transaction. Note that the distance 
values memorized in this table are always increasing from most significant to 
least significant registers. Moreover, we recall that when the client extracted a 
transaction key from a register R p , it means that the distance table was such 
that D, = N + 1 for 1 < i < p — 1. We denote by g P:V (D) the transformation 
that maps the distance table D to another distance table D' with 

{ D'i = N + 1, for 1 < i < p — 1 
D\ = v, for i= p 
D\ = Di, for p + 1 < i < R 

The server first initializes a local distance value d = 1 and a register position 
value p = p' , with p' being the most significant position with D p > > 1. Then, he 
computes K = F(IK,0 R ,p') and keeps repeating the following process: 

• While d < D p — 1, compute K = F(K,g Pt d(D),p ) and d = d+ 1. 

• If p = 1, then K = F(K, g p( j(D'),p) is the key shared with the client so the 
program can stop. 

• The server finds the most significant position p' such that D p i > D p . If 
D p i ^ N + 1, then he computes K = F(K,g Pt< j(D),p') and updates the local 
variables p = p' and d = d+ 1. Otherwise, K = F(K,g Pt< j(D),p' + 1) is the 
key shared with the client so the program can stop. 

This algorithm exactly follows the implicit process performed by the client to 
derive the transaction key TK from the initial key IK. For example, reusing the 


Table 3. Example of key derivation on the server side, with system parameters N = 8 
and R = 8 and st = 12466689. The key is derived with 8 server computations. 


iter 

key 


ocal values 

update 


d 

P 

P' 


- 

K = F(IK, 00000000, 7) 

out 

i 

7 

7 


K = F(K, 11999999,6) 

in 

i 

7 




out 

2 

6 


2 

K = F(K, 12299999, 6) 

IT 

2 

6 

5 


K = F(K, 12399999, 5) 


4 

5 


3 

K - F(l\. 12449999,5) 

IT 

4 

5 

2 


K = F(K, 12459999, 2) 

out 

6 

2 


4 

K = F(K, 12466669, 2) 

K ^ F(l\. 12466679,2) 

out 

6 

2 

1 
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scenario from Table EJ assume that the server receives st = 224. He will first set 
d= 1, p = 3 and compute K = F(IK, 000, 3). Then, he does not enter the while 
loop nor the first if. He computes p' = 1 and since D, p > = 4 = N + 1, the key 
K = F(K, 144, 2) is the key shared with the client. We give in Table 01 a more 
complicated example. 

3.3 Performance Analysis 

Now that we defined our construction, we would like to precisely compute its 
theoretical performance. It is clear that the client only needs to maintain a table 
of R registers and that the maximum number of computations required on the 
server side to derive the key is at most N calls to the function F. What is 
the number T of keys the system can support (note that IK is not counted 
as transaction key)? Since T depends on N and R, we denote T(N,R) the 
maximum number of keys that can be generated with R client’s registers and N 
server computations. 

One can be easily convinced that T(N, 1) = N. Indeed, with only a single 
register Ri , the derivation process will simply use and self-update the key stored 
in Ri until it exceeds the maximal distance N. Also, we have T(l, R) = R since 
with a maximal allowable distance of 1, our construction would simply fill each 
of the R registers with a key directly derived from the IK and that has no 
daughter. 

Let t(n,r ) denote the number of distinct keys stored by register r with a 
distance n from IK during the entire course of the algorithm, with 1 < n < N 
and 1 < r < R. Since the registers are ordered (a register r can only be updated 
by a register r’ with r’ > r), we deduce that t(n,R) = 1, because the most 
significant register can only be updated by itself. It is also clear that t(l, r) = 1, 
since the only keys at distance 1 are the very first keys stored in each register. 

The only way for a register r to hold a key at distance n > 1 is to be updated 
from a key at distance n — 1 stored in a register r’ > r. Thus, for 2 < n < N 
and 1 < r < R, we have 

R 

t(n,r) =J2<n-l,i) 

which simplifies to 

R 

t(n,r) = t(n — l,r) + ^ t(n — 1, i) = t{n — 1, r) + t(n, r + 1). 


We define the function g(n, r) = ( n+ ^_( *) and it is well known that 
- 1\ fa- 1\ 


©■ 
s(H::0 


\b-lj 


(2) 
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where Q is derived by induction from (0 . Thus, using 0 we obtain 


g(n,r) = 




+ g(n,r+ 1). 


Since we have g(n, R) = 1 and g{l, r ) = 1, we conclude that t(n, r) = g(n, r) for 
1 < n < N and 1 < r < R. 

The total amount of key handled by the system is computed by 

NR N R / ■ . r, . ,\ N-lR-l , A 

n^)=EE* ( «)-i:EC + r_r)=sgc; 3 ) 

Finally, using identities 0 and 0 ) we obtain 



3.4 Optimality Proof 

In this section we show that when N and R are fixed, the amount of keys T 
handled by our algorithm is the maximal reachable value. First, note that we 
do not count the initial key in this amount. Indeed, as potentially sensitive in 
practice, we consider that the initial key must not be stored on the client side 
after the initialization process has been performed. Of course, if needed, our 
algorithm O-DUKPT can be trivially modified in order to also utilize IK as one 
of the transaction keys: the initialization process only stores the IK in one of 
the register, then the first transaction key is this initial key and the first registers 
update simply performs the initialization process from O-DUKPT. 

We assume that the server and the client can only call the non-invertible func- 
tion F to derive the keys, in a black-box manner. This pseudo-random function 
manipulates an input of arbitrary length and outputs a key. 

After the initialization phase and during the protocol run, the client can only 
store R keys in its memory. We do not count here the temporary memory required 
for the key derivations. Those R registers represent the number of keys that can 
be memorized in the client’s memory once the transaction is over. Once the 
transaction key has been deduced by the client, he processes the transaction 
with this key and sends the public data st to the server. Once st received, the 
server can only use a maximum of N calls of F in order to derive the transaction 
key from the initial key IK. 

The key generation algorithm must be forward-secure on the client side. That 
is, when a transaction has been performed, it must be impossible for an at- 
tacker that just recovered the R internal registers to retrieve any transaction 
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key previously utilized. We call such an algorithm a forward-secure DUKPT al- 
gorithm and we denote by T the maximum number of distinct keys the system 
can handle. 

At each transaction i, the client can first do some computations from the R 
registers contents to deduce the transaction key TKi, then he stores TK t in its 
local memory in order to use it, and he finally updates its R internal registers. 
Because F is as pseudo-random function, there is no need to use several keys on 
its input. One can generate as many distinct outputs as needed from F with a 
single key input by using distinct additional data (such as a counter for example). 
Thus, when deriving keys or transaction keys with F, we can assume that only 
one key is used on its input. 

Now, since we would like to preserve the forward-security on its side (and since 
T Ki only depends on one key from the R registers) , the client model can be simpli- 
fied: at each transaction, he picks the transaction key TK from one of its internal 
registers Ri, he stores it in its local memory and finally updates the R registers 
(i.e. the computation phase can be merged with the update). Moreover, since the 
forward-security forces only the TK to be erased, the client only uses this key for 
derivation (there is no advantage in doing a derivation from a key that we do not 
have to erase yet). Therefore, for each transaction, the client picks the transac- 
tion key TK from one of its internal registers Ri, stores it in its local memory and 
finally updates the R registers exclusively from it. 

When studying theoretically the optimality of a DUKPT algorithm, there is 
no need to consider the server behavior. Indeed, the only requirement for the 
server is that it must be able to compute the transactions with at most N calls 
to F. Since F is as pseudo-random function, this only depends on how the client 
generated the transaction keys. This constraint is modeled on the client side 
with a distance value assigned to each key, representing the number of calls to 
F required to reach this key from IK. Obviously, no transaction key can have 
a distance strictly greater than N (and it is useless to memorize any key with a 
distance strictly greater than N). 


Theorem 1. A forward-secure DUKPT algorithm with R client registers and 
N maximal server computations can derive at most T distinct keys, with 


-m 


Let A be an optimal algorithm, i.e. reaching the maximum value T of keys 
handled. We prove this theorem with several very simple lemmas concerning A. 


Lemma 1. After the initialization process of A, the R registers of the client are 
filled with R new distinct keys. 


Proof. It is clear that not filling all R registers during the initialization phase is 
not an optimal method. Let B be such a forward-secure DUKPT algorithm. We 
can trivially build another forward-secure DUKPT algorithm B' that generates 
strictly more keys than B: during the initialization phase, B' memorizes one more 
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key derived from IK in one of the registers left blank by B. It uses this key for 
the very first transaction and erases the contents of the corresponding register. 
Once this key used and erased from the client’s memory, B' behaves identically 
as B. Overall, one more key has been generated in the process. □ 

Lemma 2. When A derives keys on the client side during the registers update, 
it only memorizes newly derived keys in empty registers. 

Proof. Indeed, let B be a forward-secure DUKPT algorithm that memorizes a 
newly derived key in a non empty register during one transaction. We can triv- 
ially build another forward-secure DUKPT algorithm B' that generates strictly 
more keys than B: B' behaves identically as B, but instead of directly erasing 
this particular register, it first uses the key stored in it and erases the register 
contents once the transaction is over. Overall, one more key has been generated 
in the process. □ 

Lemma 3. When A derives keys on the client side during the registers update, 
all previously empty registers are filled at the end of the process. 

Proof. Let Bbea forward-secure DUKPT algorithm that does not fill all empty 
registers when deriving new keys during one transaction. We can trivially build 
another forward-secure DUKPT algorithm B' that generates strictly more keys 
than B: B' behaves identically as B, but instead fills one of the empty register 
that B left blank with a new distinct key K (this is possible since we already 
assumed that B possess some key content to derive from at this moment). Then, 
during the next transaction, B' will use K , erase it and finally continue as B' 
in the previous transaction. Overall, one more key has been generated in the 
process. □ 

The direct corollary of the two last lemmas is that the update derives keys in 
every empty register only. 

Lemma 4. The transaction key chosen by A is always one of the keys at the 
maximal available distance from IK ( different from N + 1). 

Proof. Let B be a forward-secure DUKPT algorithm that extracts a transaction 
key TK from a register Ri containing a key at distance d < d max from the IK, 
where d max denotes the maximal distance available among the R registers. From 
previous lemmas we know that, after erasure of Ri, all empty registers must be 
filled with keys derived from T K. We can trivially build another forward-secure 
DUKPT algorithm B' that generates strictly more keys than B: B' behaves iden- 
tically as B, but instead does one more transaction. First B' extracts a trans- 
action key T K + among the set of registers containing keys located at distance 
dmax from IK. We denote by R + this register. Then, the update simply consists 
in erasing R + . For the next iteration, B' extracts the transaction key TK from 
Ri and performs the update exactly as B. The only difference for B' is that R + 
will be updated as well, because it is now empty. The update is done with TK, 
located at distance d < d max : we make ( d rnax — d) calls to F to perform the 
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derivation, so that R + finally contains a key at distance d rnax . Thus, at this 
point, B' generated one more key (i.e. TK + ) than B, while reaching the same 
distance table situation (since R + has distance d rnax for both B and B’). □ 

We showed than an optimal algorithm A must fulfill several properties stated 
in the previous lemmas. Namely, the initialization phase must fill all the R 
client’s registers. Then, for each transaction, the client must use (and erase) one 
of the keys stored with the maximal distance from IK and derive exclusively 
from it distinct keys that will be stored in each and every empty register only. 
This already almost completely specifies what is an optimal algorithm. The 
only freedom remaining concerns which key is picked when several have the 
same maximal distance from IK and this has absolutely no incidence on the 
maximum number T of keys one can generate. Thus, all algorithms verifying the 
lemmas are equivalent and optimal. Since our proposal O-DUKPT does fulfill 
those conditions, we can conclude that we reach the optimal value of T : 


m 


m 


4 Discussions 

Knowing the maximum number of computations N on the server is a good guar- 
antee of minimal performance (note that the maximal number of computations 
on the client side is equivalent for both algorithms: R — 1 for DUKPT and R for 
O-DUKPT.). However, one could also estimate the average number of compu- 
tations and for this we need to know the relative amount of keys at distance i 
from the IK. Let A{i) represent the number of keys at distance i. Of course, we 
have T = YliLi 4('i). The more keys we have at a large distance, the bigger will 
be the average number of computations per key on the server side. The average 
number of computations on the server side is 

^;(e^))/ t 


and on the client side it is 


C c 



/ T = l. 


In the case of O-DUKPT, we have 


■Afi = = E ( 


R-j 


and for classical DUKPT, we have A(i) = ( 2 .'), with i < 10. 
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Table 4. Performance comparison between DUKPT (parameters R = 21/N = 10) and 
O-DUKPT (for parameters R = 21/N = 7, R = 13/N = 10 and R = 17 /N = 8) 



DUKPT 

(. R = 21, N = 10) 

O-DUKPT 

(R = 21, N = 7) 

O-DUKPT 

(R = 13, N = 10) 

O-DUKPT 

{R = 17, N = 8) 

T 

1048575 

1184039 

1144065 

1081574 

m/T 

2 -15.6 

2-15.8 

2-16.4 

2-16.0 

A(2)/T 

2 -12.3 

2-12.3 

2-13.6 

2 -12 ' 8 

A(3)/T 

2 -9.6 

2-8.4 

2 -u.3 

2-iO.i 

A(4)/T 

2-7.4 

2-6.8 

2-9.3 

2-7.8 

A(5)/T 

2-5.7 

2-4.5 

2-7.5 

2-6.7 

A(6)/T 

2-4.3 

2-2.4 

2-5.8 

2-3.9 

A(7)/T 

2-3.2 

2-0.4 

2-4.5 

2-2.1 

A(8)/T 

2-2.4 


2-3.2 

2-0.6 

A(9)/T 

2 -i.8 


2-2.0 


A(10)/T 

2-1.6 


2-0.8 


C s 

8.65 

6.68 

9.28 

7.56 


As a comparison with classical DUKPT, if we use the same amount of registers 
R = 21 for O-DUKPT, we only need to do at maximum N = 7 computations 
to handle an equivalent number of keys: ( 2 \ R7 ) — 1 = 1184039. If we allow 
the same amount of maximum computations IV = 10 for O-DUKPT, then we 
only need to maintain R = 13 key registers to handle an equivalent number of 
keys: ( 13 ^ 10 ) — 1 = 1144065. The Table 0 gives the numerical application for 
Aj, Cs and Cc- Thus, the performance improvement is twofold: for T and R 
fixed, not only O-DUKPT has a lower maximum number of computations on 
server side, but the average number of computations is also lower. Finally, we 
give an example for which O-DUKPT provides better results in regards to every 
performance aspects (R = 17 and N = 8 gives T = 1081574 and Cs = 7.56). 

Variants. We proved in a previous section the optimality of our algorithm. How- 
ever, one may derive variants concerning its implementation and most specifically 
concerning how the client communicates the identity of the key to the server and 
how the server processes its corresponding key derivation. 

Our O-DUKPT implementation proposed requires the client to send a string 
st of R integers in [1, . . . , N], This could be coded on log^N — 1) R ) bits. The 
algorithm is simple to understand and implement, but it is not optimal in terms 
of message size since T < (N — 1 ) R . For example, classical DUKPT requires 
to send a 21-bit counter, while O-DUKPT (with parameters R = 17, N = 8) 
requires 48 bits. 

One can think of several variants if message size is an issue in practice. For 
example, a very easy way to lower the message size is to leverage the memory 
available at the server side. For example, instead of sending the D table before 
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processing the transaction, the client could simply send the transaction counter 
(thus coded on log^T) bits, the smallest possible message size). The server 
would have to recover the corresponding table D from the transaction counter 
received. This could be done very simply by a table lookup. This table, filled 
during initialization of the system, would require T.log 2 {(N — 1) ) bits (roughly 
5MB for O-DUKPT with parameters R = 17 and N = 8). 
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Appendix A: How to Instantiate F in Practice? 

In ANSI X9.24, the DUKPT implementation described is intended to derive 112- 
bit TDES keys [12| (128-bit keys with 8 bits of parity checks). The F function 
is therefore itself based on TDES. A 128-bit incoming key K (the first input) is 
divided into two 64-bit parts K L and K R , and the new key K' = K' L \\K' R is 
derived with 

K' l = TDES^ (C ® K R ) © K r 
K' r = TDES/fi, (f? © G © K r ) © K r 

where C is a known value depending on the counter (the second input), and C is 
a fixed constant. The parity bits of K' L and K' R are then appropriately adjusted. 

As F function, we advice to use commonly deployed MAC algorithms such 
as CBC-MAC |2j or HMAC jllllj with the incoming key as MAC key and 
transaction related input as MAC message input. 
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Abstract. We study security amplification for commitment schemes 
and improve the efficiency of black-box security amplification in the com- 
putational setting, where the security holds against PPT active adver- 
saries. We show that to (logs) black-box calls to a weak bit-commitment 
scheme with constant security is sufficient to construct a commitment 
scheme with standard negligible security, where s denotes the security 
parameter and to (logs) denotes any super-logarithmic function of s. Fur- 
thermore, the resulting scheme is a string commitment scheme that 
can commit to 0(log s)-bit strings. This improves on previous work of 
Damgard et al. |l )KS99| and Halevi and Rabin |H R08| . whose transfor- 
mations require to (log 2 s ) black-box calls to commit a single bit. 

As a byproduct of our analysis, we also improve the efficiency of se- 
curity amplification for message authentication codes, digital signatures, 
and pseudorandom functions studied in ID1.IK09I . This is from an im- 
provement of the “Chernoff-type Theorems” of dynamic weakly- verifiable 
puzzles of mm- 


1 Introduction 

1.1 Security Amplification for Commitment Schemes 

Security amplification for weak cryptographic primitives is a basic question that 
has been studied since the seminal work of Yao |Yao82| . This question has been 
extensively studied in recent years for a variety of primitives in various settings. 
To name a few, amplification has been studied for encryption schemes jb)NR04l 
IHRllbj , commitment schemes fDKS9!)l IWul()7l IHk()Sj . oblivious transfer P2SH3 
IWul()7j . message authentication codes (MACs), digital signatures, and pseudo- 
random functions (PRFs) fDl.lKOOj . Some of these works consider information- 
theoretic security (e.g., IDKSSSI), and others consider computational security. The 
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various security properties of primitives present different interactive settings, for 
example, commitment schemes are more interactive than encryption schemes, and 
the chosen-message-attack for MACs introduces a different type of interaction. 
Proving amplification results tend to be more challenging in an interactive and 
computational setting. 

In this paper, we continue the study of security amplification for commitment 
schemes, which was previously studied in [DKS991 1 Wn 1071 1H R.08II . We focus on 
black-box security amplification in the computational setting, where the security 
holds against probabilistic polynomial time (PPT) active adversaries. Namely, 
the starting point is a (weak) bit-commitment scheme Como that is p-hiding in 
the sense that no PPT adversarial receiver, who may deviate from the prescribed 
protocol arbitrarily, can guess the committed bit correctly with probability bet- 
ter than (1 + p)/ 2, and q-binding in the sense that no PPT adversarial sender 
can open in two ways with probability better than q, and the goal is to transform 
Como to a secure commitment scheme Com that makes black-box calls to Como 
and achieves negligible security for both properties. 

Previous works focus on feasibility results. Namely, for what values of p and q is 
the security amplification achievable. In the information-theoretic setting (i.e., the 
security holds for unbounded adversaries), Damgard, Kilian and Salvail |1 )KS99j 
showed that a black-box transformation is possible if and only if p + q < 1 — 
l/poly(s), where s is the security parameter. Halevi and Rabin (HR(1&| analyzed 
the transformation of [DKS99| in the computational setting and proved that a 
black-box transformation is possible whenever p + q < 1 — l/polylog(s). Recently 
and independent of our work, Holenstein and Schoenebeck jHSlOj improved the 
result to optimal. They showed that in the computational setting, black-box se- 
curity amplification is achievable if and only ifp + g<l — 1 /poly(s). 

However, the existing transformations are not very efficient. To measure the ef- 
ficiency, let us consider the number of black-box calls to Como that Com makes 
when p and q are constants with p + q < 1. Note that the number of black-box 
calls affects not only the communication complexity, but also the round complex- 
ity of the resulting protocol, because in the computational setting, each black- 
box call needs to be done sequentially^ All existing solutions requires w(log 2 s) 
black-box calls to securely commit a single bit. At a high level, the reason is that 
they amplify the hiding and binding property separately. Amplifying each prop- 
erty from constant to negligible seems to require cu(log s) black-box calls, which is 
the case of the existing constructions and results in cu(log 2 s) black-box calls in to- 
tal. On the other hand, the existing constructions give bit commitment schemes, 
but there are applications that require string commitment schemes. Since it re- 
quires w(log s) black-box calls to amplify the security anyway, perhaps we can ob- 
tain a string commitment scheme instead of just committing to a single bit, which 


1 In general, the commit stage of can consist of multiple rounds. If the black-box calls 
are done in parallel, one can show by modifying the counter example of Bellare, Im- 

pagliazzo, and Naor IBlN9 l 7l for interactive arguments that the security may not be 
amplified at all. 
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also improves efficiency in terms of the rate, i.e., the number of black-box calls per 
committed bit. These motivate us to ask the following question. 

Main question: How many black-box calls does it require to amplify a 
(weak) bit commitment scheme with constant security to one with negli- 
gible security? What is the length of the string that the resulting Com can 
commit to, and what is the achievable rate? 

Our Results. We give a transformation that amplify a (weak) bit commitment 
scheme with constant security to a 0(log s)-bit string commitment scheme with neg- 
ligible security using only w(log s ) black-box calls, where 0(log s ) (resp., o,(log s)) 
denotes any 0(log s) (resp., o,(log s)) function of the security parameter s. In terms 
of rate, we achieve o;(l) black-box calls per committed bit. A summary of our result 
and existing results can be found in FigureQ] 



Efficiency (constants p , q) 

Feasibility 

Work 

Number of 
black-box calls 

Length of 
committed string 

Rate 

Applicable range 
of parameters 

jTTTTnsi 

a; (log" 1 s) 

1 

o^log^ s) 

p + q < 1 - 1/poly log(s) 

US 1 1 ) 

w(log^ s) 

1 

w(log^ s) 

p + q< 1 - l/poly(s) 

Ours 

w(logs) 

O(logs) 

0,(1) 

p + q < 1 - 1/poly log(s) 

Ours + |HS1()| 

cu(logs) 

O(logs) 

0,(1) 

p + q< 1- l/poly(s) 


Fig. 1. Summary of results on security amplification for commitment schemes in the 
computational setting. Efficiency measures the cost of amplifying commitment schemes 
from constant security to negligible security. Feasibility refers to the parameter range 
that security amplification is possible. 


To bypass the cfylog 2 s) barrier of the previous transformations, we use error- 
correcting codes and randomness extractors to amplify both hiding and binding 
properties simultaneously. To analyze our construction, we model the security of 
commitment schemes as (the hardness of) solving “two-phase” (interactive) puz- 
zle systems, and study the hardness of solving at least r out of n puzzles. Our result 
on puzzle systems also applies to the dynamic weakly- verifiable puzzle systems of 
jl ) 1 .1 K()i)| . and hence improves the efficiency of security amplification for MACs, 
digital signatures, and PRFs. 

Due to the space limit, we focus on presenting our results on security ampli- 
fication of commitment schemes. We discuss our results of puzzle systems in the 
following section, and defer the detailed definitions and proofs to the full version 
of this paper. 


1.2 Puzzle Systems and Security Amplification for Other Primitives 

Informally, in a puzzle system, there is a puzzle generator generates a puzzle and 
there is a solver trying to solve the puzzle. At a high level, puzzle systems provide 
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a nice way to abstract the security property of cryptographic protocols - the hard- 
ness of solving a puzzle models the hardness for an adversary to break the security. 
Previously, Canetti, Halevi, and Steiner |CHS05j define weakly-verifierable puz- 
zle systems to capture the CAPTCHA scenario, and Dodis, Impagliazzo, Jaiswal, 
and Kabanets |DlJK09j generalized the model to dynamic weakly-verifiable puz- 
zle systems to capture the security of MACs, digital signatures, and PRFs. In this 
paper, we introduce two-phase puzzle systems, which also generalize the model of 
ehsei, to capture both hiding and binding properties of commitment schemes. 

One natural way to achieve hardness/security amplification is via repetition. 
Suppose solving a puzzle is d-liard in the sense that no efficient solver S can suc- 
cessfully solve a puzzle with probability higher than 6. If successfully solving dif- 
ferent puzzles were independent events, then successfully solving n puzzles should 
be <5 '"-hard. However, since a solver can correlate his answers to different puzzles, 
the events are not independent and the hardness bound may not hold. In the lit- 
erature, there are various (parallel) repetition theorems for aforementioned puzzle 
systems saying that the hardness bounds match that of independent events and/or 
that the hardness is amplified in an exponential rate, which are useful to deduce 
security amplification results jCHMAKIITTKnTtim.lkMI Llntlflj . In general, hard- 
ness amplification results for one puzzle systems do not imply the same results 
for another puzzle systems. Furthermore, for general interactive protocols, which 
can be viewed as “interactive puzzle systems,” there are counter examples (under 
reasonable assumptions) showing that the hardness may not be amplified at all 
under parallel repetition jfjiJN97l IPW07| . 

Previous Results. For weakly-verifiable puzzle systems, Canetti, Halevi, and 
Steiner |CHS()fil prove a tight Direct Product Theorem, saying that solving n puz- 
zles is 5 ra -harcu if solving a single puzzle is <5-hard, and Impagliazzo, Jaiswal, and 
Kabanets jl.lK()7j prove a more general Chernoff-type Theorem, saying that solv- 
ing at least (1.1) • 6 ■ n out of n puzzles is 2 _n ( |5 ' n )-hard if solving a single puzzle is 
J-hard. The bound of jl.lK07j was recently improved by Jutla |.lutl()| to nearly op- 
timal. Dodis, Impagliazzo, Jaiswal, and Kabanets |D1.IK09| extend the Chernoff- 
type Theorem to dynamic weakly- verifiable puzzle systems, and use it to achieve 
security amplification for MACs, digital signatures, and PRFs. However, the proof 
techniques of jl.l K07lH)I.IK09l|.lut1 ()j seem not applicable to the two-phase puzzle 
systems. 

To analyze their transformations for security amplification for commitment 
schemes, Halevi and Rabin [H R08j prove a Hardness Degradation Theorem for 
two-phase puzzle systems (without formally defining the model), saying that solv- 
ing at least one out of n puzzles is (1 — (1 — <5)")-hard if solving a single puzzle is 
J-hard (matching the bound for independent events). 

Our Results. We show that the three types of hardness results (Direct Product, 
Chernoff-type, Hardness Degradation) actually hold for the three aforementioned 
puzzle systems (weakly- verifiable puzzles, dynamic weakly- verifiable puzzles, and 

2 We omit the negligible slackness in this informal discussion. 
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two-phase puzzles.) We establish a Full-Spectrum Amplification Theorem , which 
essentially says that the hardness of solving at least r puzzles out of n puzzles 
matches the bound of independent events if solving a single puzzle is 5-hard for 
some constant 8. Note that such a bound is optimal, since a solver can always solve 
each puzzle independently. A summary of our results and previous results can be 
found in Figure [21 



Weakly Verifiable 

Dynamic Weakly Verifiable 

Two-Phase 

Direct Product 

[TlHSOhl 

|l )l.l K()D|. Ours 

[m?n3| 

Chernoff-type 

IUK07I l.lul 1 (.) . Ours 

!D1.1K091I. Ours 

Ours, |HS10| 

Hardness Degradation 

I1H0S 

Ours* 

mrm 

Full-Spectrum 

Ours, |HS1()| 

Ours* 

Ours, |HS1()| 


Fig. 2. Summary of results on different types of puzzle systems. “Ours” means that 
either we obtain new results or we improve bounds over previous ones. The work of 
|HS1()| and our work are independent works. (*): Our hardness degradation and full- 
spectrum results only hold for a variant of the dynamic weakly verifiable puzzle systems 
(see the full version of this paper for details). 


We prove the Full-Spectrum Amplification Theorem by a single reduction algo- 
rithm that is applicable to all three puzzle systems. The reduction algorithm can 
be viewed as a generalization of the reduction algorithm of Canetti, Halevi, and 
Steiner [CHS05I . 

As a consequence, our improvement on the Chernoff-type Theorem for dynamic 
weakly verifiable puzzle systems of Dodis et al. pi.lKODj implies improvement on 
the efficiency of security amplification for MACs, digital signatures, and PRFs. 

Historical Notes. The work of Holenstein and Schoenebeck jTTStnj and our work 
were done independently, but have significant overlap. We briefly compare the 
results and make some historical notes as follows. For security amplification for 
commitment schemes, both works improve the result of Halevi and Rabin [HTRlSj , 
but in complementary ways. Holenstein and Schoenebeck shows a feasibility result 
saying that security amplification is possible if and only if p+ q < 1 — 1 / poly (s) . We 
improve the efficiency of the transformation, saying that only cu(log s) black-box 
calls is sufficient to amplify security from constant to negligible and the result- 
ing commitment scheme can commit to a 0(log s)-bit string. The constructions 
in both work are very different. As shown in the figure QJ the two results can be 
combined to obtain both improvements simultaneously. 

For puzzle systems, Holenstein and Schoenebeck |HS1 ()j present essentially the 
same idea and reduction algorithm as in our work. However, they have a cleaner 
way to deal with the parameters, and hence their result holds for every 8 as op- 
posed to constant 8 in our result. Also, they consider more general “monotone 
combining functions” in addition to the threshold functions considered in our work. 
On the other hand, the application to efficiency improvement of security amplifi- 
cation for MACs, digital signatures, and PRFs was pointed out by us. 
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2 Preliminaries 

All log’s are base 2. s is the security parameter, and ngl = ngl(s) denotes a negligi- 
ble function of the security parameter, i.e. s~ lo s( s ). We use U n to denote uniform 
distribution over n-bit strings. We identify {0, 1} with F2, the finite field of size 
2. If x, y g {0, 1}" are vectors in Fj , then rffit/E (0, 1}" denotes their sum, (i.e. 
bit-wise xor) and x ■ y = f JA Xj/tji g {0, 1} denotes their inner product. 

We review the facts we need about error-correcting codes. The lemma below 
says that a short random linear code has good minimum distance with overwhelm- 
ing probability. It can be proved by standard probabilistic methods, and we omit 
the proof. The constants in the lemma are actually small. 

Definition 1. The Hamming distance of two strings x and y is the number of 
coordinates i such that Xi y t . Let C : {0, 1}" — » {0,1}" beacode. The minimum 
distance of C is the minimum Hamming distance over all parts of codewords C(x) 
and C(y) such that x^y. 

Lemma 1. There exist universal constants do, d\ such that the following holds. Let 
k be a positive integer, and 7 , 6 g [0, 1] be numbers such that 7 > do ■ <51og(l/5). 
Let n be an integer such that n > di ■ k/6. Let C : {0, 1}" — *• {0, be 

a random linear code defined by C(m) = (m,Am), where A g {0,l} 7 " xn is a 
random 0-1 matrix. Then C has minimum distance at least 6 ■ n with probability at 
least 1 — 2 -fe /2. 

3 Definitions and Main Theorems 

3.1 Commitment Schemes 

In this section, we formally define commitment schemes and present our main the- 
orem. We consider a standard model where the communication is over the classical 
noiseless channel and the decommitment is non-interactive ramEEUHl. 

Definition 2 (Commitment Scheme). A commitment scheme is an inter- 
active protocol Com = ( S , R ) with the following properties: 

1. Scheme Com consists of two stages: a commit stage and a reveal stage. In 
both stages, the sender S and the receiver R receive a security parameter I s 
as common input. 

2. At the beginning of the commit stage, sender S receives a private input v g 
{0, 1}*, which denotes the string to which S is supposed to commit. The com- 
mitment stage results in a joint output, which we call the commitment x = 
output((S(u), i?)(l s )) ; and a private output for S, which we call the decom- 
mitment string d = output s ( (S' (u), I?) (I s )). Without loss of generality, x can 
be taken to be the full transcript of the interaction between S and R, and d to 
be the private coin tosses of S. 

3. In the reveal stage, senderS sends the pair (v,d), where d is the decommitment 
string for string v. Receiver R accepts or rejects based on v, d, x. 
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/. Both sender S and receiver R are efficient, i.e., both run in probabilistic poly- 
nomial time in the security parameter s. 

5. R will always accept with probability 1 — ngl if both the sender S and the receiver 
R follow their prescribed strategy. If R accepts with probability 1, we say Com 

has perfect correctness. 

6. When the commit string v is just a bit in {0, 1}, we call Com a bit-commitment 
scheme. Otherwise, we call Com a i-bit string-commitment scheme. 

Remark 1. The assumption of non-interactive reveal stage is essential in both our 
work and the previous work . This assumption can be made without loss of 

generality as long as no additional property (e.g., if the sender wants to decommit 
in a zero-knowledge manner) is required, because in the reveal stage, the sender 
S can send his coin tosses to the receiver R, who can check the consistency and 
simulate the protocol. On the other hand, the assumption of perfect correctness 
can be relaxed to (1 — ngl)-correctness in both works. 

We proceed to define the hiding and binding properties of commitment schemes. 
To facilitate the presentation of our results and analysis, we are precise about the 
adversary’s running time in the definition and define the binding property in terms 
of binding games. 

Definition 3 (p-hiding against time T ) . A commitment scheme Com = (S, R) 
is p- hiding against uniform time T if for every probabilistic timeT cheating receiver 
R* , the distributions (view R*(S(Ut), R*), Uf) and (viewR*(S{Ut),R*),U' t ) arep- 
indistinguishable for time T, where U( is an i.i.d. copy ofU t . That is, for every 
probabilistic time T distinguisher D, 

\Pv[D(view R «(S(U t ),R*),U t ) = 1] - Preview*. (S(U t ), R*), U' t ) = 1]| < p/2 

We say Com is p-hiding */Com(l s ) isp-hiding against time s c for every constant 
c, and sufficiently large security parameter s. 

We remark that the hiding property above is defined as the indistinguishability for 
random values, which does not generally imply the standard semantic security for 
the hiding property. Nevertheless, it is easy to transform a commitment scheme 
Com with the above hiding property to one with standard semantic security - one 
can use Com to commit to a random string r Gr {0, 1}*, and use r as a one-time 
pad to hide the actual string v that the sender wants to commit to. 

Remark 2. For bit-commitment schemes, p-hiding is equivalent to saying that the 
receiver can guess the committed bit with probability at most l/2+p/2. Formally, 
for every time T predictor P, 

Pr[P(view R *(S(Ui),R*)) = lh)] < 1/2 + p/2. 

Definition 4 (Binding Game). The binding game for a commitment scheme 
Com = ( S , R) is played between a honest receiver R, and (S*, F), a cheating sender 
S* with a decommitment finder F. The game consists of two stages: 
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1. In the commit stage, S* interacts with R to produce a view views* ( S*,R ). 

2. In the decommitment finding stage, F gets the view view s*{S*,R), and pro- 
duces two decommitment strings ( s,d ) and (s', d'). 

(S*,F) succeeds if in the reveal stage, R accepts both decommitment strings ( s , d) 
and (s', d'). 

Definitions ((/-binding against time T). A commitment scheme Com = 
(S, R) is (/-binding against time T, if in the binding game, for every time T pair 
(S*,F), the success probability of (S*,F) is at most q. We say Com is (/-binding 
*/Com(l s ) is q-binding against time s c for every constant c, and sufficiently large 
security parameter s. 

Definition6 (security of commitment schemes). A commitment scheme 
Com is (p, g)-secure (against time T ) if Com isp-hiding and q-binding (against 
time T ). Com is secure i/Com(l s ) is (s~ c , s~ c )- secure for every constant c, and 
sufficiently large security parameter s. 

We proceed to state our main result on efficient security amplification for commit- 
ment schemes. The following theorem says that we can securely commit a 0(log s)- 
bit string using only a; (log s) black-box call to a weak commitment scheme Como 
with constant hiding and binding properties. 

Theorem 1. Let p, q G (0, 1) be constants with p + q < 1 . Suppose there exists a 
(p, q)- secure bit commitment scheme Com.Q. Then for every t(s) = 0(logs),n(s ) = 
u(t + log s) where s is the security parameter, there exists a secure t-bit string- 
commitment scheme Com that makes only n black-box call to Como- 

4 Efficient Security Amplification for Commitment 
Schemes 

In this section, we present our result on efficient black-box security amplification 
for commitment schemes in the computational setting, where the security holds 
against PPT active adversaries. We start by reviewing the previous construction 
of Halevi and Rabin |HR08| . and then discuss its limitation and our improvement. 
The construction in |HH(18j uses the following two transformations, each of which 
improves one property significantly without hurting the other property too much. 
— Secret-sharing transformation. Let Como be a bit commitment scheme, 
and nsNbea parameter. The transformation gives a bit commitment scheme 
Com = (S, R) as follows. To commit a bit b G {0, 1} to R, S generates random 
b\ ,b- 2 , ■ ■ ■ b n G {0,1} such that ® i6[n] h = b, i.e. a secret sharing of b, and then 
uses Como to sequentially commit to each 6/ to R. 

Intuitively, this transformation improves the hiding property, since an ad- 
versarial R* needs to learn all bits b\, . . . , b n to recover b, but hurts the bind- 
ing property, since an adversarial S* only needs to cheat on any single bit 6/ 
to decommit in two ways. Indeed, Halevi and Rabin proved that if Como is 
(p, (z)-secure, then Com is (p n , 1 — (1 — (/)")-secure@ 

3 We omit the negligible slackness in the informal discussion. 
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— Repetition transformation. Let Como be a bit commitment scheme, and 
n G N be a parameter. The transformation gives a bit commitment scheme 
Com = (S, R ) as follows. To commit a bit b G {0, 1} to R, S sequentially uses 
Como n times to commit to the same bit b to R. 

Intuitively, this transformation improves the binding property, since an 
adversarial S* needs to cheat on all copies of Como to decommit in two ways, 
but hurts the hiding property, since an adversarial R* can learn the bit b from 
any copy of the commitments. Indeed, Halevi and Rabin proved that if Como 
is fy, ?)-secure, then Com is (1 — (1 — p) n . q n )- secure. 

Halevi and Rabin showed that, as long as p and q satisfy p+ q < 1 — l/polylog(s), 
then given a (p, g)-secure (weak) bit commitment scheme Como, one can apply the 
above two transformations alternately to obtain a secure bit commitment scheme 
Com. To measure the efficiency, consider the case where both p and q are constants 
with p+q < 1. Since improving either hiding or binding property from constant to 
negligible requires w(logs) invocations to Como, and the above transformations 
improve two properties separately , the construction of Halevi and Rabin requires 
at least w(log 2 s) black-box calls to Com 0 . 

Remark 3. Independent of our work, Holenstein and Schoenebeck jHSTni present 
a different construction that improves the result of Halevi and Rabin in the fol- 
lowing sense.For any fy, g) -secure bit commitment scheme Como with p + q < 
1 — 1 / poly (s) , their construction gives a secure bit commitment scheme Com using 
poly(s) black-box calls to Como- Their construction uses Valiant’s monotone for- 
mula for majority |Val84| to improve both properties. However, a closer inspection 
shows that their construction is equivalent to applying the secret sharing trans- 
formation and a variant of repetition transformation (with the same effect on the 
parameters) alternately. Hence, in terms of the efficiency, their construction also 
requires at least u( log 2 s) black-box calls to amplify a fy, q)- secure weak commit- 
ment scheme with constant p and q to a secure one. 

To bypass the u;(log 2 s) barrier of the existing constructions, our main idea is to 
use error-correcting codes and randomness extractors to amplify both hiding and 
binding properties simultaneously. For intuition, we give an informal description 
of our transformation first. Let us informally use Como (6) to denote a commitment 
of a bit b, and let C : {0, 1}" — > {0, 1}" be an error-correcting code with minimum 
distance at least 6 ■ n', and Ext : {0, 1}" x {0, l} d — » {0, l} 4 a strong randomness 
extractor. Our transformation uses Como, C and Ext to commit to a string v G 
{0, 1 Y as follows (recall that we obtain string commitment schemes as opposed to 
bit commitment schemes of other existing constructions). 

— Commit Stage: the sender S samples a message m Gr {0, 1 }” uni- 
formly at random, and sequentially commits to each bit of the code- 
word C(m) using Como, which generates commitments Como(C l (m)) = 
(Como(C(m)i), . . . , Como(C'(m) r ,/)). Then S samples a uniform seed z Gr 
{0, l} d , and sends the seed z with v ® Ext(m, z) to the receiver R. In sum, the 
commitment is Comfy) = (Como(C(m)), z, v ® Ext(m, z)). 
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— Reveal Stage: the sender S sends the value v, the message m and reveals each 
committed bit of C(m ) to R, who checks consistency and accepts or rejects 
accordingly. 

Intuitively, the binding property is improved because for an adversarial sender S* 
to cheat, S* needs to decommit C'(rn) into two valid codewords. Since the code 
C has good minimum distance, S* needs to successfully cheat on at least S ■ n' 
committed bits out of n' commit bits. The (/-binding property of Como says that, 
for each committed bit, S* can cheat with probability at most q. Thus, in expec- 
tation, S* can cheat on only q ■ n! commit bits. If q < (0.9)5, the Chernoff bound 
suggests that S* should be able to cheat on at least 5 ■ n' commit bits with only 
exponentially small probability in n' . On the other hand, the hiding property is im- 
proved because after seeing the commitments of C(m), an adversarial receiver R* 
has only partial information about m by the p- hiding property of Como- Thus, Ext 
extracts the remaining (computational) entropy from m, which is used to hide the 
value v. Ideally, when both p and q are constants, we can set both n, n' = a; (log s ) 
and commit to C(n)-bit string. 

In sum, our efficient security amplification for commitment schemes consists 
of three steps: given a (p, q)- secure bit commitment scheme Como with constants 
p + q < 1,(1) we first apply the transformations of Halevi and Rabin to obtain 
a {p',q')~ secure bit commitment scheme Comi with sufficiently small constants 
p' . q', which costs a constant number of black box calls, (2) we apply the above 
construction to obtain a (s _c , s _c )-secure 0(log s)-bit string commitment scheme 
Coni 2 , which costs 0(log s ) black box calls, and (3) we apply a string version of 
the transformations of Halevi and Rabin jHRf)8l to obtain a secure 0(log s)-bit 
string commitment scheme Coni 3 , which costs w(l) black box calls. The number 
of black-box calls multiply over steps, and hence the resulting Com 3 uses w(log s) 
black-box calls to Com 0 . 

We proceed to give a formal description of the above construction and its anal- 
ysis in Section 14. 1 1 and present a string version of the transformations of Halevi 
and Rabin used in the third step in Sectional 

4.1 Efficient Security Amplification in the Known- Security Setting 

In this section, we present a transformation that converts a ( p , g) -secure bit com- 
mitment scheme Como to a (s _c , s _c )-secure 0(log s)-bit string commitment 
scheme Com using 0(log s) black-box calls to Como, where c is an arbitrary con- 
stant. Our transformation uses error-correcting codes and randomness extractors 
to amplify both hiding and binding properties simultaneously. The transformation 
requires to use a systematic code with good distance and the “Goldreich-Levin” 
extractor. We will discuss the reason when we prove the security below. A formal 
description of our transformation can be found in Figure [3 

We will show that if Como is a (p, g)-secure bit commitment scheme for small 
constants p, q, then by setting n,i,t= 0(log s), the resulting string commitment 
scheme is ( s ~ c , s _c )-secure for some constant c. Note that both parties in Com 
run in time polynomial in n, £, t, and the running time of Como, which is efficient. 
Formally, we prove the following theorem. 
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Transformation T (Como ) : 

— Inputs. A bit commitment scheme Como, and parameters n, £, t €. N. 

— Outputs. A t-bit string-commitment scheme Com = ( S , R) defined as follows. 

— Commit Stage. Let v €. {0, 1 }* be the string to which S is committing to. 

1. R samples a uniformly random matrix A <— {0, l} ixn , and sends A to S. 

/* i.e., R selects a random systematic linear code C(m) = ( m,Am ). */ 

2. S samples the following uniformly at random: a message m <— {0, 1 }"' and a 
matrix Z <— {0, l} txn . 

/* Z is a random seed for a (strong) randomness extractor Ext(m, Z) = Zm .* / 

3. S uses Como to commit to each bit of m and each bit of Am to R sequentially. 
Let x — (an, . . . , x„) and y = (yi .... , yt) denote the commitment of each bit 
respectively. 

/* i.e., S commits to each bit of the codeword C(m). */ 

4. S sends (Z. v © Zm) to R, where v © Zm is the bit-wise xor of v and Zm. 

/* i.e., S uses Ext(m, Z) as a one-time pad to hide the commit string v. */ 

In sum, the commitment of v is (A, x, y,Z,v © Zm). 

— Reveal Stage. S sends v and its coin tosses r to R. and R checks that v and r 
are consistent with the honest sender’s algorithm. 


Fig. 3. Our black-box transformation T(Como, n,£,t) 

Theorem 2. The following holds for all sufficiently small constants p. q G (0, 1), 
and k = 0(log s) : Suppose there exists a ( p,q)-secure (weak) bit commit- 
ment scheme Como, then there exists a (2 _fc ,2 ~ k )-secure t = f2(k)-bit string- 
commitment scheme Com that makes 0(k) black-box calls to Como- Specifically, 
Com = T(Com 0 , n,£,t) for appropriate n,t = 0(k), and t = f2(k). 

We formalize the aforementioned intuition to analyze the hiding and binding prop- 
erties in the below subsections. 

Analysis of the Binding Property. In this section, we analyze the binding 
property of our transformation T(Como, n,£, t). We first recall the intuition of 
why the binding property is improved. Recall that in the construction, the sender 
S is supposed to commit to each bit of a valid codeword C(m) = (m, Am) using 
Como, where C is a random linear code chosen by the receiver R. By Lemma [fl 
C has good min-distance 5 ■ n with overwhelming probability. For an adversarial 
sender S* to cheat, S* needs to decommit the n + l commitments into two valid 
codewords C(m\), Cffi?), which means that S* needs to successfully cheat on at 
least 6 ■ n commitments out of n + l commitments. Intuitively, suppose breaking 
the binding property of each commitment were independent events with success 
probability at most q, and if S ■ n > (1.1) ■ q ■ (n + £) , then by Chernoff bounds, 
the success probability of S* should be exponentially small in n. 

Of course, the events are not independent since S* has chance to correlate his 
strategy for different instances. However, breaking the binding property of sequen- 
tially committed bits can be modeled as repetition of two-phase puzzle systems, 
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and hence the above intuition can be formalized using the Full-Spectrum Amplifi- 
cation Theorem (appeared in the full version of this paper), which says the success 
probability of S* behaves the same as the case of independent events. 

Formally, we prove the following lemma, which essentially says that when q is 
sufficiently smaller than the min-distance of the code, the binding property is am- 
plified in an exponential rate. We formulate the lemma in concrete parameters for 
preciseness. For intuition, think of n,£ = 0{k), k = O(logs), T 0 = poly(s), and 
T = s'A 1 ). 

Lemma 2 (Binding). Let do be the universal constant in Lemma 0 There exist 
universal constants ci such that the following holds. For any q G (0, 1) , n, k, l, t, To, 
T G N satisfying (i) do ■ (3 q) ■ log(l/3g) < 1, (it) 2ci ■ k/q > n > c\ ■ k/q, (in) 
n > £ > do ■ (3 q) ■ log(l/3g) ■ n, if a bit- commitment scheme Como = (So,Ro) 
with runtime To is q-binding against time T, then Com = T (Como, n, £, t) is 2~ k - 
binding against time T' = T/poly(2 fc ,To,t). 

Analysis of the Hiding Property. In this section, we analyze the hiding prop- 
erty of our transformation T(Como,n,£,t). We first recall the intuitive entropy 
argument of why the hiding property is improved. Recall that in the construc- 
tion, the sender S samples a random n-bit message m, which contains n bits of 
entropy. Then S commits to each bit of the codeword C(m) = (m, Am), each of 
which leaks information about m. Intuitively, if we set the parameters so that there 
are entropy left in to, S can use randomness extractor to extract a string Ext (a:, Z) 
that is (pseudo-)random from an adversarial receiver R*' s point of view, and use 
it as one-time-pad to hide the commit value v. 

We argue that it is very hard for R* to predict the whole message to after he 
sees the n+£ commitments, and hence one can apply the Goldreich-Levin theorem 
to extract pseudo-random bits. This is why our transformation requires to use the 
Goldreich-Levin extractor. To argue that m is hard to predict from the commit- 
ments (x,y), we first argue that m is hard to predict from x. We can view predict- 
ing n sequentially committed message bits of to from the commitments x as n-fold 
direct product of a two-phase puzzle system. By Direct Product Theorem of Halevi 
and Rabin |HR08| . the success probability of R* is at most ((1 + p)/ 2) n (up to a 
negligible factor). Observing that y contains at most £ bits of information about 
to, the success probability of R* to predict to from (x, y) is at most 2 l ■ ((l+p)/2) n . 
Hence, by the Goldreich-Levin theorem, we can extract I2(log(2^ • ((1 + p)/2) n )) 
pseudorandom bits. 

Formally, we prove the following lemma, which essentially says that we can ex- 
tract ft(\og(2 i ■ ((1 +p)/2)")) pseudorandom bits. Again, we formulate the lemma 
in concrete parameters for preciseness, and we use parameter a = 1 — p for clarity. 
For intuition, think oin,£= &{k), k = 0(log s),T 0 = poly(s), and T = s^ 1 ). 

Lemma 3 (Hiding) . There exist universal constants C 2 such that the following 
holds. For every a 6 (0,1 ),n,k,£,t,T 0 ,T e N satisfying (i) 2c2 ■ k/a > n > 
C 2 • k/a, (ii) £, t < an/12, if Como = (So,Ro) with runtime To is a (1 — a)- 
hiding against time T, then Com = T(Como,n,£,t) is 2~ k -hiding against time 
T' = T/poly(2 fc ,T 0 ). 
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We leave the proofs of Lemma 0 and 0 in the full version of this paper. 

Proof of Theorem^ Theorem0follows by applying L e mm a, 0 and 0 w i t h prop- 
erly chosen parameters. 

Proof, (of Theorem 0) We set the parameters n, k, l as follows: n = 
max{^p, jz|} = O(k), l = do(3q) log(3q) • n, and t = = C(fc), where 

ci, C 2 , do are the constants in the Lemma00 and0 The theorem follows directly 
from Lemma 0 and 0 

4.2 Security Amplification for String Commitment Schemes 

In this section, we generalize the transformations of Halevi and Rabin |H K.OSj to 
the case of string commitment schemes, with the goal of amplifying the (s _c , s _c )- 
secure string commitment scheme obtained from our transformation to achieve 
negligible security. This is a simpler task, and can be done by applying a secret- 
sharing transformation first and then a repetition transformation. A formal de- 
scription of the transformations can be found in Figure 0 


Secret-sharing S<S(Como,u). Let Como be a t-bit string commitment scheme, and 
u € N be a parameter. The transformation gives a t- bit string commitment scheme 
Com = (S, R) as follows. To commit a value v 6 {0, 1}* to R, S generates random 
vi,v 2 ,...v n e {0, 1}* such that vi © tts © • • • © % = v, where ® denotes the bit-wise 
xor of vds (i.e. a secret sharing of v), and then uses Como to sequentially commit to 
each Vi to R. 

Repetition 7£(Como, u). Let Como be a t-bit string commitment scheme, and u G N 
be a parameter. The transformation gives a t-bit string commitment scheme Com = 
(S, R) as follows. To commit a value v €E {0, 1}* to R, S sequentially uses Como u times 
to commit to the same value v to R. 


Fig. 4. Secret-sharing and repetition transformation for string commitment schemes 

We proceed to analyze the binding and hiding properties of the resulting com- 
mitment schemes of the two transformations. For the binding property, the anal- 
ysis is essentially the same as in |H R08| : for repetition, it requires to break all u 
commitments of Como, and for secret-sharing, it requires to break only 1 out of 
u commitments of Como, which can be modeled as solving corresponding repeti- 
tion of two-phase puzzles. The Direct Product Theorem and Hardness Degrada- 
tion Theorem of Halevi and Rabin [HR.08| (or our Full-Spectrum Amplification 
Theorem) imply the following lemma. 

Lemma 4 ( jHROBj ). Let Como be a t-bit string- commitment scheme, u = u(s) < 
poly(s) a efficiently computable function, and q £ (0, 1) a constant. Suppose Como 
is q-binding, then 7£(Como, u ) is ( q u + ng \)-binding, and <S<S(Como, u ) is (1 — (1 — 
q) u + ng\) -binding. 
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On the other hand, analyzing the hiding property is tricker. For the secret-sharing 
transformation, we need a string version of XOR Lemma to show that the hiding 
property is amplified. Maurer and Tessaro |MT09| proved a more general result 
(Theorem 2 of jMTDHp in the context of system composition, which implies the 
following lemma. 

Lemma 5 f jMTOQj h Let Como beat-bit string-commitment scheme, and Com = 
5iS(Como,u) with efficiently computable u = u(s) < poly(s). //Como isp-hiding, 
then Com is ( p u + ng \) -binding. 

We next show that repetition transformation preserves the (negligible) hiding 
property. This is sufficient for our purpose since we will apply the secret-sharing 
transformation to amplify the hiding property to negligible before applying the 
repetition transformation. 

Lemma 6. Let Como = (S’o, Rq) beat-bit string-commitment scheme, and Com = 
7£(Como, u ) with efficiently computable u = u(s ) < pofy(s). If Como is ngl -hiding, 
so does Com. 

We leave the proof in the full version of this paper. 

4.3 Put Things Together 

We are ready to present a formal description of our efficient security amplification 
for commitment schemes (in Figure EJl and prove Theorem |T| 


Final Construction. 

— Inputs. A ( p , (/-secure bit commitment scheme Como with p + q < 1. 

— Outputs. A secure /-bit string-commitment scheme Com with t = O(logs). 

1. Apply the transformations of Halevi and Rabin alternately to obtain a (p , in- 
secure bit commitment scheme Comi with sufficiently small constants p , q' . 

2. Apply our transformations T(Comi, n, £,t) to obtain a (s -c , s _c )-secure t-bit 
string commitment scheme Com2, where n, t = O(logs), and c is some constant. 

3. Let a be an arbitrary w(l) function. Apply <S«S(Com2, a) to obtain a (ngl, a ■ s~ c + 
ngl)-secure t-bit string commitment scheme Coni3. 

4. Apply 7?.(Com3, a) to obtain a secure t-bit string commitment scheme Com. 


Fig. 5. Efficient security amplification of commitment schemes 


Proof (of Theorem d) . The fact that Com is a secure string commitment scheme 
follows straightforwardly from Theorem|2|and Lemma0| Q El Observing the Comi 
makes 0(1) black-box calls to Como, Coni 2 makes 0(log s) black-box calls to 
Comi, Coni 3 makes w(l) black-box calls to Coni 2 , and finally Com makes w(l) 
black-box calls to Coni 3 , the total number of black-box calls that Com makes to 
Como is w(log s), as desired. 
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Abstract. We show that for any elliptic curve E(F q n '). if an adversary 
has access to a Static Difiie-Hellman Problem (Static DHP) oracle, then 
by making 0(q 1 ~ n + 1 ) Static DHP oracle queries during an initial learn- 
ing phase, for fixed n > 1 and q — ► oo the adversary can solve any further 
instance of the Static DHP in heuristic time 6(g 1- "+ 1 ). Our proposal 
also solves the Delayed Target DHP as defined by Freeman, and naturally 
extends to provide algorithms for solving the Delayed Target DLP , the 
One-More DHP and One-More DLP , as studied by Koblitz and Menezes 
in the context of Jacobians of hyperelliptic curves of small genus. We 
also argue that for any group in which index calculus can be effectively 
applied, the above problems have a natural relationship, and will always 
be easier than the DLP. While practical only for very small n, our al- 
gorithm reduces the security provided by the elliptic curves defined over 
F p 2 and F p 4 proposed by Galbraith, Lin and Scott at EUROCRYPT 
2009, should they be used in any protocol where a user can be made to 
act as a proxy Static DHP oracle, or if used in protocols whose security 
is related to any of the above problems. 


1 Introduction 

In recent years, there has been a steadily growing appreciation of the existence of 
an apparent separation, in some cases, between the hardness of breaking discrete 
logarithms in a particular group, and the hardness of solving in that group 
certain problems to which the security of a cryptosystem is provably related. 
This situation can arise when auxiliary information is provided to an attacker in 
the form of limited access to a particular oracle, either within the game played 
by the attacker in the security proof, or in practice when a user can be made to 
act as a proxy oracle by virtue of the nature of the protocol itself. 

For example, in 2004 Brown and Gallant studied the Static Diffie-Hellman 
Problem (Static DHP), in which a party reuses the same Diffie-Hellman secret 
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for multiple Diffie-Hellman key agreements |S|. The authors proved that if the 
associated DLP for the static secret is hard, then so is the Static DHP. However, 
their reduction naturally becomes an algorithm for solving the DLP if an attacker 
has access to a Static DHP oracle. In the protocols f 1 511 7) and [Zj for instance, 
a user can indeed be made to act as a proxy Static DHP oracle, thus rendering 
such systems vulnerable to this attack. In the best case (from an attacker’s 
perspective) , one can compute a static Diffie-Hellman secret in a group of order 
r with only 0(r 1//3 ) Static DHP oracle queries and 0(r 1//3 ) group operations p. 
For cryptographically interesting elliptic curves, i.e., those for which generic 
attacks are the best known, this result is in stark contrast to the time required 
to compute discrete logarithms, namely 0(r 1/,:2 ). So while solving the Static 
DHP in this case may still be hard, it has lower complexity than the best DLP 
algorithms. 

Koblitz and Menezes have shown that several other problems exhibit a similar 
apparant hardness separatiorQ from the DLP, in the context of Jacobians of hy- 
perelliptic curves of small genus |TTH| : namely the Delayed Target DHP jTH|, the 
Delayed Target DLP , the One-More DHP j3] and the One-More DLP jl|2j . 
For each of these problems, it is the use of oracle queries that creates these sepa- 
rations. For instance, for the Delayed Target DHP, the Brown-Gallant algorithm 
can be applied immediately, since the game played by the attacker gives him 
initial access to a Static DHP oracle. 

In 2006 Cheon rediscovered the Brown-Gallant algorithm when the requi- 
site information is provided in the guise of the Strong Diffie-Hellman Problem 
(Strong DHP) jE| . Cheon also extended the attack to utilise divisors of r + 1 as 
well as of r — 1, as with the Brown-Gallant algorithm; indeed both algorithms can 
be regarded as instances of the well-known reduction from the DLP to the DHP 
due to den Boer, Maurer, Wolf et al., (see m for a survey) , but with restricted 
access to a DHP oracle. Incidently, Cheon’s break of the Strong DHP does not in 
itself reveal any weakness in the protocols that depend upon it, since reductions 
given in security proofs until that time were in the wrong direction, i.e., they 
showed that breaking the system enables one to solve the Strong DHP, but not 
the other way around. Hence, if an algorithm that efficiently solves the Strong 
DHP is found, then while all security proofs that assume its hardness would no 
longer provide any security assurance, no actual break of the associated systems 
would result. In the case of Boneh-Boyen signatures 0 , which relies on the Strong 
DHP in the above manner, Jao and Yoshida have given a reduction in the reverse 
direction, thus strengthening the proof of security for these signatures, and at 
the same time providing an attack on the scheme with complexity 0(r 2 / 5+e ), 
if 0(r 1 / 5+e ) signature queries are permitted to be performed j32|- This result 
suggests that if one can establish an equivalence between a given protocol and 
a problem that exhibits an apparent hardness separation from the DLP, then 
in some attack models the security assurances provided by these arguments will 
likely be lower than that provided by the DLP. 


1 We use the prefix apparent, since these separations exist only relative to the current 

understanding of the respective problems, which could of course change. 
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Similarly, for the RSA problem, in 2007 Joux, Naccache and Thome showed 
that with initial subexponential access to an e-th root oracle an attacker can later 
compute the e-th root of any element with complexity lower than that required 
to factor the modulus (SOI- This algorithm was then adapted to solve the oracle- 
assisted Static DHP in finite fields (33, with similar efficiency improvements, 
demonstrating an apparent hardness separation in this case also. 

It is therefore natural to ask whether initial access to a Static DHP oracle 
can aid in solving later Static DHP instances faster than solving the DLP, in the 
context of elliptic curves? As previously mentioned, in the best case the Brown- 
Gallant-Cheon algorithm requires 0(r 1//3 ) oracle queries and group operations. 
However, for elliptic curves defined over extension fields F g n, we present an 
algorithm which for fixed n > 1 and q — > oo requires 0(g 1_ "+ 1 ) oracle queries 
and has heuristic time complexity 0(g 1- "+ I ). This should be compared with the 
best known DLP algorithm for these curves which has complexity 0(q 2 ~ 2 ^ n ) |21| . 
hence our proposal approaches being a square-root faster than the DLP with 
increasing n. Note that for n = 2 our complexity is the same as the best-case 
Brown-Gallant-Cheon complexity, but applies to all elliptic curves over F g 2 and 
not just those with appropriate divisors of r ± 1, while for n > 2 our result is 
superior. We also present an heuristic subexponential oracle-assisted Static DHP 
algorithm for elliptic curves over a special family of extension fields. 

Our proposal also naturally extends to provide algorithms for solving the four 
problems studied by Koblitz and Menezes in m In this work it was found 
that the relationships between the hardness of these problems do not appear to 
behave as one might expect (cf. |39l40j h We correct a minor oversight in the 
analysis and argue that in the context of any group in which index calculus is 
effective, i.e., one in which index calculus provides the best known algorithm to 
solve the given problems — which includes Jacobians of hyperelliptic curves and 
elliptic curves over extension fields — the aforementioned problems do indeed 
have natural relationships, and are always easier than the DLP (this statement 
naturally only applies with respect to the state of the art in index calculus 
algorithms). However a central conclusion of |3Hjj namely that it is difficult to 
assess what security assurances are provided by security proofs when the games 
played are interactive or have complicated inputs, still holds. 

Due to the fact that the implicit constant in the complexity of our algorithm 
grows very quickly with n, it is practical only for small values of n, namely 
n = 2,3 or 4 (and whenever n is divisible by 2,3 or 4). However, based on the 
results of timing estimates arising from an implementation of the components 
of the attack, the security provided by the elliptic curves defined over F p 2 and 
F p 4 proposed by Galbraith, Lin and Scott at EUROCRYPT 2009, would be 
significantly reduced, should these curves be used in any protocol where a user 
can be made to act as a proxy Static DHP oracle, or if used in protocols whose 
security is related to any of the problems studied in [3B( ■ 

Independently of this work, Joux and Vitse (33 have proposed the same basic 
algorithm as the one presented here for the oracle-assisted Static DHP, namely 
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Heuristic Result 1. Although Joux and Vitse did not consider our factor base 
reduction method that leads to Heuristic Result 2, their main idea improves 
upon Gaudry’s relation finding technique — which is used in the present work 
— enabling one to find relations for elliptic curves over degree five extension 
fields, which is currently impractical with Gaudry’s method. 

One goal of the present work was to assess the impact the algorithms pre- 
sented herein had upon the oracle-assisted Static DHP on the Oakley Well- 
known Groups 3 and 4, which form part of the IPSEC set of protocols m 
(see 0 and <0 , and which are defined over degree five extension fields in char- 
acteristic two. Noting from our results how much easier it is to find relations in 
characteristic two than for large prime characteristic, the author contacted the 
authors of EZ! in order to apply their idea to these curves. Using the results 
of this paper and m we recently announced the experimental verification of 
the feasibility of solving the oracle-assisted Static DHP on the 152-bit Group 3 
curve |2EI over F 2 i55, which has long been suspected of weakness, but had until 
now resisted many attacks j4!JI25l22fTTj . 

The sequel is organised as follows. In 0 we recall the Static DHP. In 0 we 
motivate our main idea, present our basic algorithm, and analyse asymptotic 
variants of it. Then in 0 we detail curves in the literature that are vulnerable 
to our attack. In 0 we give a full account of our experimental implementation 
at the 128-bit security level for extension degrees n = 2,3,4 and 5, over large 
prime and characteristic two fields, assess their impact on the above curves and 
report on the Oakley Group 3 curve. In 0we present algorithms for three other 
problems which arise in cryptographic protocols and analyse their impact, and 
make some concluding remarks. 

2 The Static Diffie-Hellman Problem 

Let G be a cyclic group of prime order r, and let g be a fixed generator of G. 
The classical Diffie-Hellman problem in G can be stated as follows D2J: 

Problem 1. (DHP): Given g and random g x and g y , find g xy . 

In Diffie-Hellman (DH) key agreement between two parties, Alice chooses a ran- 
dom secret x € Z/rZ and computes g x , while Bob chooses a random secret 
2 / G Z/rZ and computes g y , which are then exchanged. Upon receipt each party 
computes the shared secret g xy by exponentiating the other party’s group ele- 
ment by their own secret. A fundamental security requirement of DH key agree- 
ment is that the DHP should be hard. 

Should Alice for any reason repeatedly reuse the same secret, x = d say, then 
the resulting set of DHP problem instances forms a tiny subset of all problem 
instances featured in the DHP, and it is thus not a priori clear that these in- 
stances should be hard, even if the DHP is hard. This problem is referred to as 
the Static DHP f /, which we state as follows: 
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Problem 2. (Static DHPd): Given fixed g and g d , and random g v , find g dy . 

Observe that this situation need not just arise as an efficiency measure during 
multiple DH key agreements — Alice need only compute g d once and reuse 
this value for multiple key agreements — but also arises in text-book El-Gamal 
encryption Ford-Kaliski key retrieval HZj and Chaum-Van Antwerpen’s 
undeniable signatures jZj. As mentioned in JQ Brown and Gallant have shown 
that if the associated DLP is hard, then so is the Static DHPd (J3 ■ However, 
in the above three protocols, one of the system entities acts as a Static DHPd 
oracle, thus turning the Brown-Gallant reduction into an attack. 

As in P we define an oracle for solving the Static DHPd as follows: 

Definition 1. (Static DHPd Oracle). Let G be a cyclic group of prime order r, 
written additively. For a fixed base element P £ G and a fixed element Q £ G 
let d £ Ifrl be such that Q = dP. Then a Static DHPd oracle (with respect to 
G) computes the function 5 : G — » G defined by: 

5{X) = dX. 

Likewise a Static DHP,/ algorithm is said to be oracle- assisted if during an initial 
learning phase, it can make a number of Static DHPd queries, after which, given 
a previously unseen challenge element X, it outputs dX. We now consider how 
to solve the oracle-assisted Static DHP when G = E(F q n). 

3 An Oracle- Assisted Static DHP Algorithm for E(¥ q n) 

In this section we motivate and present our algorithm for solving the oracle- 
assisted Static DHPd in the present context. 

The key observation in (20] is that if one is able to define a suitable ‘factor 
base’ in the group under consideration, i.e., a relatively small subset of group 
elements over which a non-negligible proportion of all group elements can be 
‘factored’ via the group operation, then it is possible to solve the Static DHPd 
with input an arbitrary group element, given knowledge of the action of the 
Static DHPd oracle on the factor base elements alone. This follows from the 

simple fact that if in an additively written group G we have R = Pi -\ H P n , 

with Pi in some factor base T , then 

6(R) =dR = dP 1 +--+dP n = S(Pi) + ■ ■ ■ + 6(P n ). 

Note that if an arbitrary group element R is not expressible over the factor base, 
then by adding a random element Q £ IF (or any linear combination thereof) to 
R and testing expressibility, one can produce an element R + Q which factors 
over T , thus permitting the Static DHPd to be solved as before. Therefore a 
good factor base over which a non-negligible proportion of elements may be 
expressed, combined with randomisation, enables one to solve the Static DHPd 
for arbitrary group elements. 
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Observe that for the oracle-assisted Static DHP (J r, one does not ever need to 
know d in order to compute the action of multiplication by d on an arbitrary 
element of G, i.e., one can solve the Static DHP^ without solving the DLP. This 
is because implicit information is ‘leaked’ via the Static DHP d oracle queries 
which enables one to solve the Static DHP^ using the above observations, more 
readily than one is able to solve the DLP, for which there is no such information. 
This idea is central to both j23j and j2H| ■ 

When G is the multiplicative group of a finite field, the problem of how best to 
construct a factor base, and how to express arbitrary elements over such a factor 
base is well studied |35133l34j . For finite fields there exists a natural notion of size 
for elements, or equivalently a norm function, given by either the absolute value 
of an element for prime fields, or the degree of an element for extension fields, 
or a combination of both depending on the algorithm being used to generate 
multiplicative relations. A norm function imbues a notion of smoothness for a 
group and those elements of small norm generate more group elements than 
those elements of larger norm, hence the best choice for a factor base is those 
elements of norm up to some bound. 

In the context of elliptic curves over prime fields, there does not appear to 
be a utilisable notion of norm that enables the selection of a factor base that 
generates a higher proportion of group elements than any other, nor a means 
by which to factor elements over one should one be chosen. It is precisely this 
issue that has so far precluded the discovery of a successful native index calculus 
algorithm for computing discrete logarithms on such curved, which is why they 
are so attractive from a security perspective. 

For elliptic curves over extension fields, the story is very different. While the 
‘Weil descent’ methodology f I 9125131 )] has proven successful for solving or weak- 
ening the DLP in some cases, this involves mapping to a generally larger group, 
which although possessing a natural factor base, does not allow the requisite 
Static DHP oracle queries to be made on the preimages of the factor base ele- 
ments, since in general such preimages will not exist. There does however exist 
a notion of smoothness for such elliptic curves, as remarkably discovered by 
Gaudry ED 


3.1 Gaudry’s Insight 

Developing upon an intriguing idea due to Semaev @Zj, in 2O(F0 Gaudry showed 
how to define a useful factor base for E(V q n), over which elements can be ‘fac- 
tored’, or more properly, decomposed, which leads to an index calculus algorithm 
for computing logarithms over these curves m ■ For fixed n > 1 and q — > oc, 

2 There are of course attacks that apply to a very small minority of elliptic 
curves |4:-jl2lll4^l4hl4. ll )| - though these are well understood and are easily avoided, 
or in the case of pairing-based cryptography, which relies on curves which are sus- 
ceptible to |4MI2I II . are employed. 

3 Gaudry’s algorithm was initially posted to the IACR preprint server in 2004 (paper 
number 2004/073), but was not published until 2009, in [TTl . 
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the algorithm has heuristic complexity 0(q 2 ~n), which is much faster than the 
Pollard rho complexity 0(q n / 2 ). 

We begin by recalling Semaev’s Summation Polynomials f£7 . 

Definition 2. For char(F,) > 3 let E be an elliptic curve defined over F g » 
by the equation y 2 = x 3 + ax + b. The summation polynomials f n of E are 
defined by the following recurrence, with initial values for n = 2 and 3 given by 
h(X 1 ,X 2 )=X 1 -X 2 , and 

f 3 (X 1 ,X 2 , X 3 ) = (Xr - X 2 ) 2 X 2 - 2((Xr + X 2 )(XiX 2 + a) + 2 b)X 3 
+{{ x iX 2 - a) 2 - 46(Xr + X 2 )), 

and for n > 4 and 1 < k < n — 3, 

/„(X l5 ...,X n ) = Resx{f n -k{X\, . . .,X n _ k _ t ,X),f k+2 (X n _ k , . . .,X n ,X)). 

While this definition may appear rather mysterious, Semaev derived the above 
formulae by insisting that f n satisfies the following property, which relates f n to 
the addition law on E. 

Theorem 1. (Semaev Mb Let E be an elliptic curve over a field k, n > 2 and 
f n its n-th summation polynomial. Let x\,...,x n ben elements of an algebraic 
closure k of k. Then f n (x i, . . . , x n ) = 0 iff there exists an n-tuple y n ) of 

elements in k such that for all i, Pi = ( Xi , yf) is a point on E and 

Pi + ■ ■ ■ + Pn = O. 

One can therefore see immediately that f n provides an encoding for all sets of 
n points on a given curve whose sum is the identity element. For an elliptic 
curve E over a prime field F p , Semaev proposed setting the factor base to be the 
set be all points on E whose abscissa have magnitude less than p 1 /". Then one 
computes random multiples of some base point P, say Ri = riP, and attempts 
to write each such R t as a sum of n points in the factor base. To do this one 
need only solve 

f n+1 (x!,...,x n ,x Ri ) =0. (1) 

By symmetry, one heuristically expects this to be possible for a proportion 1/n! 
of points Ri, and when 0(p 1 ^ n ) points that decompose have been found (the 
approximate size of the factor base) one can obtain their logarithms with respect 
to P via a sparse linear algebra elimination, which has complexity 0(p 2// "). 
Finding the logarithm of an arbitrary group element is then easy. Therefore, if 
finding small roots of Q were possible, for fixed n > 5 and p —> oc this algorithm 
would be faster than Pollard rho. 

Unfortunately, finding such small roots, at least for more than two vari- 
ables M, appears hard. Gaudry’s insight was to observe that for elliptic curves 
over F q n , if one uses a factor base consisting of points with abscissae in the base 
field F q , then assuming the field of definition of the curve is F g «, the Weil re- 
striction of scalars of equation (P) from F g n to F g forms an algebraic system of n 
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equations in n indeterminates over F g , which is nearly always zero-dimensional 
and which can be solved via elimination theory m- Note that the above as- 
sumption crucially also ensures that the factor base elements do not form a 
subgroup. Using a ‘double large prime variation’ |20| this leads to a DLP algo- 
rithm with complexity 0(q 2 ~ «). We are now ready to present the basic version 
of our algorithm, in which we detail how this Weil restriction approach works. 

3.2 Basic Oracle- Assisted Static DHP Algorithm 

Let E be an elliptic curve whose field of definition is F g n. We define a factor 
base T a la Gaudry m as follows: 

E = {P = (x,y) G E(¥ q n) \ x €¥ q }. 

On heuristic grounds, one expects \P\ ~ q, see P3 . For each P e T we make an 
oracle call to the Static DHP oracle, to give S(P) = dP. 

For an arbitrary point R £ E( F 9 »), the goal is to find dR. We attempt write 
R as a sum of n elements of P, i.e., 

R=p 1 + ... + P n . 

By symmetry, one heuristically expects the proportion of elements expressible 
in such a way to be approximately 1/n!. To perform this decomposition one uses 
Semaev’s summation polynomial f n + 1 , and attempts to solve 

fn+ i(n,...,i n ,ijj)=06F ! ». (2) 

Note that the expression on the left of equation (0) involves the defining co- 
efficients of the curve E, and the abscissa xr, all of which are in F g « . Fix a 
polynomial basis {1, t , . . . , t n ~ 1 } for the extension ¥ q n /¥ q . Then each one of the 
n coefficients of powers of t must be zero. Since each of the n abscissae Xi are in 
F g , equation (0 defines a variety with n equations in n indeterminates over F g , 
which one solves via a Grobner basis computation, see d'S.lSI 

If there is a solution (aq , . . . , x n ) to the system 0 , then one needs to compute 
all 2” possible combinations ±Pi ± • • • ± P n for the corresponding ordinates in 
order to find the correct combination which sums to R. Then the solution to the 
Static DHP for R is immediate: 


S(R) =dR = dP! + --- + dP n , 


where all the terms on the right hand side are already known, due to the oracle 
queries on T . 

As already discussed, if a solution does not exist, then one adds to R a random 
element Q £ T (or any linear combination thereof) and attempts to decompose 
this point once again. One expects this to succeed after approximately n! at- 
tempts. When it does we have the following equation: 

R + Q = P\ + --- + P n , 
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which implies that 


6(R) = dR = dP 1 + -- + dP n - dQ, 

where again all the terms on the right hand side are already known. Hence our 
Static DHPd instance is solved. 


3.3 Discussion 

Our first observation is that the above algorithm and this discussion of it are 
entirely heuristic; however we believe that the algorithm and its complexity can 
be made completely rigorous using the results of Diem jlOlllj , should one choose 
to do so, see Hi 41 

Our second observation — which is fundamental to the complexity of the 
algorithm — is that in contrast to the DLP, there is no linear algebra elimination, 
since only a single relation is sought. So once the initial oracle querying phase 
is complete, the complexity of the algorithm depends only on the problem of 
computing one relation. We therefore analyse this cost now. 

For n > 3, Semaev’s summation polynomials {/„} are symmetric and are of 
degree 2 n_2 in each variable. Hence equation Q is of degree 2 n ~ 1 each variable. 
In order to simplify the system greatly, it pays to express f n+ 1 in terms of the 
elementary symmetric functions ei, . . . , e n in the variables x\, . . . , x n . We then 
have a system of n equations in the n indeterminates ei, ... ,e n each of which 
again has degree bounded by 2 n ~ 1 in each variable. In order to solve this system, 
we perform a Grobner basis computation. 

In practice our experiments (see 'Q showed that the Grobner basis w.r.t the 
lexicographic ordering always satisfies the so-called shape lemma |27l41j . i.e., it 
is of the following form: 

ei - gi(e n ),e 2 - ff 2 (e„), . . . , e„_i - gn-i(e n ),9n{e n ), (3) 

where gi(e n ) is a univariate polynomial in e n for each i. In general the degree of 
the univariate polynomial in e n that we obtain will be 2 n ( n_1 ) and indeed in our 
experiments this is borne out. The complexity of Faugere’s algorithm F4 [03 to 
compute this basis is therefore at least 

6{Poly{ 2^-D)). 

Since this is doubly exponential in n , this makes the algorithm practical only 
for very small values of n. However for fixed n and q — >• oo, this is polynomial in 
log q. 

To find whether or not the system has roots ei, . . . , e„ gF„ one extracts the 
linear factors of the univariate polynomial <? n (e n ) using a gcd computation with 
e® — e„ followed by Cantor-Zassenhaus and then substitutes each F (; root e n into 
< 7 i(e„) to find e n _i, . . . , ei- For each such vector of F (; roots (ei, ... ,e n ) one tests 
whether the polynomial 

p(x) = x n — e\X n ~ l + e 2 x n ~ 2 — ■■ ■ — (— l) n e„ (4) 
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splits over F g . If it does then these roots are the abscissae of points in E(¥ q ), 
and there exists a linear combination 

eiPi + ■ ■ ■ + e n P n (5) 

with e, e {—1, 1} which sums to R. This step is also polynomial in log q. 

On average one expects to have to perform n! such decompositions in order to 
find a relation. Therefore the complexity of the our basic Static DHP algorithm 
for fixed n > 1 and q —> oo is polynomial in log q. This gives the following 
heuristic result. 

Heuristic Result 1. For any elliptic curve E(¥ q n), by making 0(q) queries 
to a Static DHPd oracle during an initial learning phase, for fixed n > 1 and 
q — > oo, an adversary can solve any further instance of the Static DHPd In time 
Poly (log q). 

Note that prior to the learning phase, the adversary needs to construct the factor 
base by testing whether a given abscissa ieF, gives a point lying on E or not. 
We incorporate this computation into the learning phase, since it has the same 
complexity of 0(q). It is of course possible to balance the cost of the learning 
and relation-finding phases, which we now consider. 

3.4 Balancing the Setup and Relation-Finding Costs 

To balance the cost of the oracle querying phase and the relation finding phase, 
one needs to reduce the size of the factor base by some proportion. To this end, 
Let \E\ = q a , with 0 < a < 1. Then given the decomposition of a random point 
R e E as a sum of points whose abscissa are in F g , the probability that a single 
abscissa is in T is q a ~ l . Assuming these events are independent, the probability 
that all n abscissae are in T is q n t a ~ 1 \ Hence in order to obtain one relation, 
one expects to have to perform 1 /g n ( a_1 ) = q n P-°) successful decompositions. 

Asymptotically for fixed n > 1 and q — > oo one can regard the cost of a 
decomposition as unital (modulo some log factors) and hence to balance the two 
stages a must satisfy: 

<f = q n(1 ~ a) , 

and so a = n/(n + 1) = 1 — This gives the following heuristic result as 
stated in the abstract. 

Heuristic Result 2. For any elliptic curve E(¥ q n), by making 0{q 1 ~ ** m) 
queries to a Static DHPd oracle during an initial learning phase, for fixed n > 1 
and q —> oo, an adversary can solve any further instance of the Static DHPd in 
time 0(g 1_ "+ 1 ). 

Observe that there is no possibility (nor necessity) for considering so-called large 
primes, i.e., those with absicissa in F g but not lying in T, since there is no linear 
algebra elimination step on the single relation. If we compare the above com- 
plexity to that obtained by Gaudry for the DLP, namely 0(q 2 ~ « ), which uses a 
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double large-prime variant, we see that our algorithm for solving the Static DHP 
approaches being a square root faster for increasing n. Intuitively this difference 
in complexity arises from there not being a linear algebra step in the solution of 
the Static DHP^. 

We note that Diem has given a rigorous algorithm that is essentially equivalent 
to Gaudry’s DLP algorithm above m, which for fixed n > 2 solves the DLP 
on any elliptic curve over F g « in proven expected time q 2 ~ 2 ^ n (logq)° < ' 1 \ We 
believe his treatment can be adapted mutatis mutandis to transform the above 
two heuristic results into theorems, though since it is not the primary focus of 
this paper, we have not verified this here. 

Observe that in practice the limiting factor is not the decompositions, but 
the oracle queries, since these would typically be performed on a single server, 
whereas the former can be easily distributed. One can therefore reduce the num- 
ber of such queries below the above threshold, at the expense of needing to 
perform more decompositions. Such a trade-off is easily optimised, based on the 
amount of computing power available, but will nevertheless require an exponen- 
tial number of oracle queries, for fixed n and q — > oc. We now consider how and 
when the number of oracle queries may be made subexponential in the size of 
the group. 


3.5 Subexponential Oracle- Assisted Static DHP Algorithm 

Diem has also proven the following remarkable result m For n — * oo and 
assuming n = 0(y/ log q), the DLP over any elliptic curve E(¥ q n) can be solved 
in expected time q°( l ) = e °( lo s (g”) 2/3 ). Thus for a family of finite fields, any 
elliptic curve DLP can be solved using a native subexponential index calculus 
algorithm. 

While Diem is not precise in his analysis of the exponents in the complexity of 
the constituent parts of the algorithm, it is clear that since for the oracle-assisted 
Static DHPd there is no linear algebra step, one expects a similar improvement 
over the DLP algorithm in this context to the fixed n case, i.e., nearly square 
root, and that this also can be rigorously proven. This therefore provides an 
oracle-assisted Static DHP^ algorithm that requires a subexponential number of 
oracle queries. We leave it as an open problem to find the precise complexity of 
Diem’s algorithm, and the resulting complexity of our algorithm in this context. 

4 Potentially Vulnerable Curves 

At EUROCRYPT 2009, Galbraith, Lin and Scott proposed the use of special 
elliptic curves over F p a and v eh, which possess efficiently computable ho- 
momorphisms that permit a particularly efficient version of Gallant-Lambert- 
Vanstone point multiplciation method ca- As well as the single bit speed-up of 
Pollard rho available on these curves, both the GHS attack ESI and Gaudry’s 
attack m are considered, and appropriate recommendations are made in light 
of these. In particular, for curves over F p 2 , neither of these attacks is faster than 
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Pollard rho, and so these curves were believed to attain the desired security level. 
For curves over F p 4 , in light of the latter attack the authors recommend that 
primes of length 80 bits should be used to achieve 128-bit security, rather than 
of length 64 bits, although it is stated that this is a very conservative choice, 
since Gaudry’s algorithm requires expensive computations, and so potentially 
smaller primes could be used. Similarly Hankerson, Karabina and Menezes have 
considered the GLS point multiplication method over binary fields of the form 

Fq 2 El- 

Prior to our attack, the only potential weakness of cryptographically inter- 
esting curves over F p a would be due to the Brown-Gallant-Cheon attack. In 
the best case (from an adversary’s perspective), should the group order ±1 be 
divisible by an integer of size 0(p 2 / 3 ), then the Static DHP f ; secret d can be 
computed in time 0(p 2 / 3 ). Such a condition can be easily avoided should this 
attack be a concern. For the curves considered in ESI, the Weil descent method 
is analysed and it is shown that the proportion of susceptible curves is negligible 
and can be provably avoided with a feasible computation. However, regardless 
of the divisibility properties of the group order ± 1 , the balanced oracle-assisted 
Static DHPd algorithm from 44 .41 achieves a complexity of 0(p 2 / 3 ) (and similarly 
for the binary curves). Assuming that point decompositions over the factor base 
can be computed efficiently, this attack therefore poses a real threat. 

For curves over F p 4 , our attack has complexity 0(p 4 / 5 ), which is much faster 
than Gaudry’s attack on the DLP, which has complexity 0(p 3 / 2 ). Again assum- 
ing that point decompositions can be performed efficiently, curves over degree 4 
extensions are also vulnerable. 

Also of interest are the legacy curves which until recently formed part of 
the Oakley Key Determination Protocol, a part of IPSEC. These are the Well 
Known Groups’ 3 and 4 EHj which are elliptic curves defined over the fields F 2 i 5 s 
and F 2185 , and which have been the target of numerous attempted attacks via 
the Weil descent method |49l25l22fH| . since their inception. 

5 Experimental Results 

We implementated our oracle-assisted Static DHP^ algorithm using the compu- 
tational algebra system MAGMA [£] (V2.16-5), which was run on an Intel Xeon 
running at 3.16GHz with 32G of memory. We considered two sets of curves. The 
first set consisted of four randomly selected curves of prime order, each of which 
were 256 bits in length, for fields of the form F p 2 , F p a , F p 4 and F p s , see 45.11 and 
These curves were chosen in order to measure how vulnerable the curves 
proposed in En are to our algorithm. We also provide estimates for solving the 
DLP on these curves via Pollard rho and the state of the art index calculus 
algorithms. The second set consisted of four randomly selected curves of order 
4 ■ p with p of bitlength 256 over the binary fields F 2 in, for n = 2, 3, 4 and 5, so 
that In was as close to 256 as possible. The reason for implementing the attack 
on these curves was twofold: firstly to assess the security of the curves proposed 
in m-, and secondly to compare the efficiency of the attack with the prime 
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field case, with a view to assessing the difficulty of breaking the oracle-assisted 
Static DHP„( on the Oakley curves, which we report in H5.3I 

While our implementations in MAGMA are clearly sub-optimal, our goal was 
to provide a proof-of-concept implementation, and to give a reasonable indica- 
tion of what can be achieved in practice. Indeed our results provide an upper 
bound for the time required to solve the oracle-assisted Static DHP d in each 
case. With a tailored and optimised low-level implementation our attack times 
can be improved significantly, as exemplified by the result reported in 


5.1 Large Prime Characteristic 

For each of n = 2, 3, 4 and 5 we used curves of the form 
E(¥ p n ) : y 2 = x 3 + ax + b, 

for a and b randomly chosen elements of F p n, such that #E(F p n) was a prime 
of bitlength 256. 

For n = 2,3 and 4 we computed the symmetrised summation polynomials 
fs, fa and respectively, and all experiments were completed within two hours. 
For the computation of fa, we surprisingly ran out of memory, and so instead 
independently symmetrised the two ft polynomials used in the resultant com- 
putation to reduce the number of terms, and substituted xr into this partially 
symmmetrised version of fa. One can extract the elementary symmetric polyno- 
mials from these two independent sets by appropriately recombining them. How- 
ever the resulting Grobner basis computation eventually exhausted the available 
memory and so the n = 5 experiments were unable to be completed. Without 
an accurate idea of how long the Grobner basis computation might take were we 
to have sufficient available memory, we consider finding relations for curves over 
these fields to be impractical given our resources at the present time. Note how- 
ever that for prime base fields, we know of no proposals in the literature for the 
use of degree five extension fields for elliptic curve cryptography. We therefore 
include results only for n = 2,3 and 4, in Tabled 

The column titles in the table denote respectively: the degree of the extension 
field; the size of the prime base field in bits; the number of monomials in f n +i] 
the number of monomials in f n +i once symmetrised; the average time required 
to perform a Grobner basis computation; and the average time required to find 
the points that sum to the point being decomposed respectively. 

Table 1. Data for testing and decomposing points for elliptic curves over extension 
fields. Times are in seconds. 


n log p 

#fn+l 

# sym/n+i 

T(GB) 

T(roots) 

2 128 

13 

5 

0.001 

0.009 

3 85.3 

439 

43 

0.029 

0.027 

4 64 

54777 

1100 

5363 

3.68 
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As per 43.31 the last of these consists of the extraction of the degree one fac- 
tors of the polynomial <?„(e„) and then substitutes the roots into the remaining 
polynomials gi(e n ) in equation Q. This is followed by the desymmetrisation fac- 
torisation (equation (0J ) and then computation of the correct linear combination 
of factor base elements that sum to P (equation Q). 

As one can see, symmetrisation reduces the size of the system greatly. Note 
that the only setup cost comes from computing f n+ i and its symmetrisation; the 
final two columns give the average decomposition cost per input point, which 
for n = 2 and 3 is over 1000 inputs includes both those that do decompose over 
T, as well as those that do not. 

For n = 4, since the computation is significantly more costly, we report the 
time for one input point only; note that the input system for the Grobner basis 
computation always has the same form but with different coefficients, and hence 
one expects this part of the computation to be very consistent. With regards 
to the root finding time, the three stages described above took 3.68s, 0.00s and 
0.04s respectively, and so the dominant cost is the initial factorisation, which 
is necessary whether an input point decomposes or not. Hence we estimate the 
average time over uniformly chosen input points to be » 3.68 + 0.04/4! « 3.68s, 
since a point decomposes with probability 1/4!. 

5.2 Upper Bounds on Attack Times 

From the data in Table Q and the time required to compute a scalar multipli- 
cation, one can compute an upper bound on the time required to carry out the 
attack in 43.1 1 Setting \F\ = p a , a minimising a balances the two stages of the 
attack, namely the oracle calls, and the relation finding stage. We ignore the 
cost of constructing the factor base since this only involves a handful of field 
operations and a Legendre symbol computation. A more careful version of the 
argument of 4: 5.1 1 leads to the following equation: 

p"( i _ “) • n! • (T(GB) + T(roots)) = p a ■ T(scalar), 

where T(scalar) denotes the average cost of a scalar multiplication. With our 
implementation the latter costs approximately 0.008s, 0.011s and 0.012s on the 
curves defined over F p 2 , F p 3 and F p 4 respectively. 

Table El details the resulting values of alpha for n = 2,3,4 and the corre- 
sponding estimated attack times. As stated in 43.41 these estimates assume that 
each set of q a factor base elements has the same probability of expressing the 
decomposition a random decomposable point as a linear sum of elements from 
that set. 

The Pollard rho attack times have been estimated as yji r • 2 256 /2 group opera- 
tions, where the cost of a group operation has been estimated using the T(scalar) 
times above, assuming use of the double and add algorithm. We have incorpo- 
rated the speed-up afforded by performing random walks on equivalence classes 
of points [14151] when the set of points {±^/>*(P) : 0 < i < m} for a given point 
P are deemed to be equivalent, where ip is the homomorphism from [2T1 . This 
results in the three curves have virtually identical security. 
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Table 2. Attack time estimates for our implementation. Times are in seconds. 


n a 

Attack time 

Pollard rho 

2 0.6701 (2/3) 

2^.» 

2 III.8 

3 0.7645 (3/4) 

2 59.7 

2 111 ' 4 

4 0.8730 (4/5) 

2 50.5 

2 111 ' 4 


Pollard rho however is not the fastest asymptotic DLP algorithm in this con- 
text. In the basic index calculus one finds 0(p ) relations with a linear algebra cost 
of 0(p 2 ). Assuming the decomposition cost is sufficiently small, one can reduce 
the size of the factor base to balance the cost of the two stages, to 0(p 2 ~ "+r), 
which is originally due to Harley. In addition, one can also use single and dou- 
ble large prime variations [50126) . resulting in complexities of 0(p 2_n+1/2 ) and 
0(p 2_ «) respectively. 

Our implementation allows one to give upper bounds for the attack times 
for each of these approaches, and consequently provides information regarding 
what size of p should be chosen to provide 128 bit security, for each n, subject 
to our attack implementation. This security level is the length of time required 
to compute 2 128 basic group operations. Note that in the double large prime 
variation, for the most interesting case n = 4 the number of relations required 
is 0(p 3 / 2 ). With our decomposition implementation, the time for the relation 
generation stage is p 3/ " 2 ■ 4! • 5366.68s w 2 113 0 s, which is comparable to Pollard 
rho. Hence for this security level, p of length 64 bits would appear to be secure. 
However, in an optimised implementation the decomposition time could clearly 
be improved, necessitating increasing p accordingly to compensate. Furthermore, 
since the relation generation stage is more costly than the linear algebra, to 
balance the two stages of the algorithm one would need to increase the factor 
base size marginally. These intricacies mean that although our implementation 
provides an upper bound for the attack time, how to select an appropriate size p 
to ensure security for elliptic curves over these extension fields remains an open 
issue. 


5.3 Characteristic Two 

For each of n = 2, 3, 4 and 5 we used curves of the form 

E(¥ 2 m) : y 2 + xy = x 3 + b, (6) 

for b a randomly chosen element of F 2 in, such that #E(W 2 in) was a four times a 
prime of bitlength 256. Note that ® is the form of the Oakley curves EH- Also 
note that the base fields F 2 i in each case are not necessarily of prime extension 
degree over F 2 . Since our focus was to compare the effect of characteristic for 
fields of a given size with particular small extension degrees, we disregard any 
possible DLP weaknesses due to Weil descent for these example curves. 

For these curves the summation polynomials are surprisingly simple, and very 
sparse, making their computation easy, in contrast to the prime base field case. 
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Observe that as a result the size of the fi and their symmetrisation is much smaller 
than before, faciliting a much faster Grobner basis computation for n = 4. 

As was the case for prime base fields, for n = 5 we also had insufficient 
memory to complete a decomposition using Gaudry’s method. However, as stated 
in m and announced in |2Kj . by attempting to write a random point on the 
curve as a stun of four factor base elements as in m one is able to find such a 
decomposition, at the expense of reducing the probability from 1/5! to 1/(2* • 
4!). As with Gaudry’s decomposition method, this method is much faster in 
characteristic two than in large prime characteristic. Thus for the Oakley Group 
3 curve, the oracle-assisted Static DHP^ problem is practical. Whether this can 
be extended to the Oakley Group 4 curve is worthy of further investigation. 

For n = 2,3 and 4 the time for a scalar multiplication is 0.014s. TableEUdetails 
the results using Gaudry’s decomposition technique, with the final row detailing 
the results from the announcement m on the Oakley Group 3 curve. 


Table 3. Data for testing and decomposing points for elliptic curves over binary ex- 
tension fields and attack time estimates. Times are in seconds. 


n l 

#/«+! 

# sym/„+i 

Time GB 

Time roots 

a 

Attack time 

2 129 

5 

3 

0.000 

0.008 

0.6672 (2/3) 

2 »u.m 

3 86 

24 

6 

0.005 

0.008 

0.7572 (3/4) 

2 eo.o 

4 65 

729 

39 

247 

0.88 

0.8575 (4/5) 

2 50.6 

5 52 

148300 

638 

N/A 

N/A 

N/A 

N/A 

5 31 

729 

39 

0.021 

(total time) 

30/31 

2' 5UU 


Note that despite the a values being smaller for binary fields — due to faster 
decompositions — the attack times are slightly higher, because the fields are 258 
and 260 bits in size, as opposed to 256 bits. Due to the scalar multiplication time 
being very similar to the prime field case (with our implementation), the Pollard 
rho times are similar and hence the curves in [2HJ should also be considered 
vulnerable to our attack. 

6 Other Cryptographically Relevant Assumptions 

Our proposed oracle-assisted Static DHP^ algorithm also solves the Delayed Tar- 
get DHP, as defined by Freeman [HU , which may be phrased as follows: A solver 
is given initial access to a Static DHP c y oracle for the element Q = dP £ G; 
when the Static DHP^ oracle is removed, the solver is given a random element 
X £ G and must solve the DHP for input (Q, X), namely, output dX. 

Koblitz and Menezes studied this problem in the context of Jacobians of hy- 
perelliptic curves of small genus j3E| , along with several other problems, includ- 
ing the Delayed Target DLP, the One-More DHP and the One-More DLP. In 
the Delayed Target DLP, rather than given access to a Static DHP^ oracle, the 
solver is given access to a discrete logarithm oracle but the problem is otherwise 
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identical to the Delayed Target DHP. In the One-More DHP and One-More DLP 
the solver is supplied with a challenge oracle that outputs random elements of 
the group, as well as a Static DHP,/ oracle or a DLP oracle respectively. This 
time however the solver chooses an integer t and must solve t instances of the 
Static DHPd or the DLP, but is only allowed to use the Static DHP^ or the DLP 
oracle at most t— 1 times. 

The One-More DHP was first formulated in j3j while the One-More DLP was 
first formulated in Q and £jj. Using Jacobians of hyperelliptic curves of small 
genus as example groups, Koblitz and Menezes argue that the constituents of 
each of the two pairs of similar problems — the Delayed Target DHP and De- 
layed Target DLP, and the One-More DHP and One-More DLP — should each 
be incomparable to one another. In particular there very probably does not exist 
a reduction between the Delayed Target DHP and the Delayed Target DLP, since 
in some groups the former appears to be easier than the latter, while in others 
the converse is true, and similarly for the One-More problems. However, their 
analysis of the Delayed Target DHP and One-More DHP contains a minor over- 
sight, since it only considers the impact of the Brown-Gallant-Cheon algorithm 
and not the index calculus methods they used for studying the corresponding 
DLP versions. Doing so for Jacobians of hyperelliptic curves of genus > 3, one 
sees that the complexities for the Delayed Target problems are identical, and 
similarly for the One-More problem variants. 

Indeed, taking the basic Static DHP^ algorithm presented in 33.21 one sees 
that by changing the Static DHP,/ oracle calls to DLP oracle calls, one obtains 
an otherwise unaltered algorithm and hence the complexities of the two delayed 
target problems are the same. Similarly any variation in factor base size will 
give rise to algorithms of the same complexity; the oracle calls themselves are 
not relevant to the structure of the algorithm, so it should be clear that for any 
group in which one can identify and use a factor base to generate relations, the 
Delayed Target DHP and Delayed Target DLP will have identical complexities, 
whenever this method provides the most effective means to solve both problems. 
Exceptions to this condition arise, for instance, when a faster algorithm applies 
to just one problem, as with the Brown-Gallant-Cheon algorithm for the Delayed 
Target DHP, for an elliptic curve over F p whose group order ±1 is divisible by 
an integer of size ~ p 1 / 3 . 

For the One-More problem variants, in our context we have the following 
simple algorithm. We choose the same factor base as in J3.2I and perform \T\ 
Static DHPd oracle calls on its elements. Then for each of the \!F\ + 1 challenge 
elements, we solve the appropriate problem exactly as before. The only difference 
between the one-more and the delayed target problems is that for the one-more 
variants we must solve \F\ + 1 such challenges, and not just one. If we perform 
the analysis of ' 12 - II once more we find that the optimal size of T is given by 
a = l, exactly as in §4.5 of |2B|- As before either oracle can be applied to a 
given relation and so the One-More DHP and One-More DLP have the same 
complexity, and again will do so in any group for which this method provides the 
most effective means to solve both problems. 
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Interestingly this means that even when one can not find a natural reduction 
between two problems, the presence of an effective index calculus ensures that in 
some circumstances the problems have the same complexity. Furthermore the two 
pairs of problems considered above (as well as oracle-assisted Static DHP d ) are 
easier to solve than the DLP, for elliptic curves over extension fields, Jacobians 
of hyperelliptic curves of genus > 3, and indeed for any group for which index 
calculus provides the best means to solve each of these problems. 
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Abstract. This paper investigates the Random Oracle Model (ROM) 
feature known as programmability , which allows security reductions in 
the ROM to dynamically choose the range points of an ideal hash func- 
tion. This property is interesting for at least two reasons: first, because 
of its seeming artificiality (no standard model hash function is known to 
support such adaptive programming); second, the only known security 
reductions for many important cryptographic schemes rely fundamen- 
tally on programming. We provide formal tools to study the role of pro- 
grammability in provable security. This includes a framework describing 
three levels of programming in reductions (none, limited, and full). We 
then prove that no black-box reductions can be given for FDH signa- 
tures when only limited programming is allowed, giving formal support 
for the intuition that full programming is fundamental to the provable 
security of FDH. We also show that Shoup’s trapdoor-permutation-based 
key-encapsulation is provably CCA-secure with limited programmability, 
but no black-box reduction succeeds when no programming at all is per- 
mitted. Our negative results use a new concrete-security variant of Hsiao 
and Reyzin’s two-oracle separation technique. 

Keywords: hash functions, random oracle model, programmability, in- 
differentiability framework. 


1 Introduction 

In the random oracle model (ROM) [1] parties are provided oracle access to a 

publicly available random function, a random oracle (RO). A random oracle is 
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Randomly-Programming 

Reduction 



Weakly-Programmable ROM 


Fig. 1 . Relations between the proposed models and example results. A “public” inter- 
face indicates that reduction B can see all queries of adversary A, whereas “set $” de- 
notes that B can re-assign random values to R , and R p denotes a weakly-programmable 
RO. The “example: xxx” labels indicate a scheme xxx that enjoys a proof of security 
in the model above it, but for which we show black-box separation results implying the 
difficulty of proving its security in models to the right. 


often viewed as the idealization of a cryptographic hash function, and security 
proofs in the ROM provide heuristic support for actual security when real hash 
functions are used instead. The ROM enables proofs of security for a multitude 
of important schemes because reductions may exploit various properties of a RO 
that can be realized only to a limited extent (if at all) in the standard model. 

One such property is programmability. Loosely speaking, a random oracle can 
be “implemented” by dynamically selecting return values, and so long as the 
distribution of outputs is correct (uniform on the specified range), any method 
for selecting these values is permitted. The technique of programming RO output 
values in a security reduction seems crucial in countless positive results, e.g. [1, 
3-5,7]. However, no standard model function is known to provide the completely 
arbitrary and adaptive programmability provided by a RO, making it natural 
to wonder: which (if any) of these results could have been established without 
exploiting the full programmability of the ROM? 

In this paper we formally explore models in which programmability of the 
random oracle in reductions is restricted. For this, we propose a form of limited 
programmability that is between full and no programmability. We provide two 
different but, surprisingly, equivalent characterizations of this limited form of 
programmability. We use them to show that: (1) one can prove (using a new 
variant of the Hsiao- Reyzin two-oracle separation technique [11]) the inabil- 
ity to give a programming-limited black-box reduction for the FDH signature 
scheme [1] and (2) that Shoup’s trapdoor-permutation-based key encapsulation 
scheme (TDP-KEM) [15] is provably CCA secure given only limited programma- 
bility, while no black-box reduction works when programming is forbidden. For 
a diagrammatic summary of our main results, see Figure 1. 

Modeling (Non-)Programmability in Reductions. Nielsen [13] was the 
first to formally investigate the role of programmability in security results. He 
showed that there is no way to realize a natural cryptographic functionality 






Random Oracles with(out) Programmability 305 


(non-committing non-interactive encryption) in a ROM-like model that strictly 
prohibits programming of RO outputs. His result, and a more recent one by 
Wee [17] in the context of zero-knowledge, apply to simulation-based notions 
of security, and in particular restrict the ability of the simulator in these to 
program the RO. Unfortunately, these approaches are not sufficient to reason 
about the majority of ROM security proofs, which exploit programmability in 
security reductions, for example to embed an instance of a hard problem into 
RO outputs. 

Our work considers this complementary direction, by investigating security 
reductions in models equipped with random oracles, but in which the ability 
of the reduction to program the random oracle is constrained. Along the lines 
of Nielsen’s approach [13] in the simulation-based setting, our first contribu- 
tion is to formalize non-programming reductions in the black-box (BB) setting 
(i.e. reductions only have oracle access to adversaries) by making the reduction 
work relative to an external RO (to which the adversary also has access). 1 We 
then propose a natural relaxation called randomly-programming reductions. In- 
tuitively, the external random oracle is realized by a message-indexed table of 
randomly-chosen points, and while the reduction does not get to pick the range 
points, it can pick the order they appear in the table. As we shall see, this lim- 
itation on programming realizes an interesting middle point between full and 
no programming, and one that captures the provability of important schemes. 
Finally, a fully-programming reduction allows the reduction to arbitrarily choose 
output range values, as in traditional ROM proofs. 

The Weakly-Programmable Random Oracle Model. A limitation of the 
above reduction-centric approach is the restriction to BB reductions. Indeed, as 
observed by Nielsen [13] , providing models in which one can argue about limita- 
tions on programmability in non-BB reductions is challenging. This is because, 
in a non-BB setting, the reduction directly simulates all oracle queries made by 
an adversary and so there is no way to force the reduction to work relative to 
an external RO. We resolve this difficulty for the case of randomly-programming 
reductions by proposing a new variant of the ROM. 

A Weakly-Programmable Random Oracle (WPRO) works as follows to form 
an idealized model of a hash function. Let p be an arbitrary function (whose 
range matches that of the hash function). For each distinct input x, the WPRO 
chooses its output to be p(r) for a random coin-string r. Additionally, the WPRO 
allows only adversaries to obtain the coins r used to generate any output. Then 
in the WPRO model (WPROM) all parties have access to a WPRO that uses 
a regular, one-way function p. The requirements on p ensure that the WPROM 
limits programmability. For example, attempting to program an output of the 
oracle to a given value y requires computing p~ 1 (y) and refuting one-wayness; 
regularity implies that the output of p is uniform, as usually required for random 
oracles. 


The reduction does see the queries made by the adversary and the oracle’s replies. 
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The WPRO model appears to have little to do with randomly-programming 
reductions. Nevertheless, we prove that the two characterizations of limited 
programming are strongly related. Namely, Proposition 3 states that any BB 
reduction in the WPROM implies a randomly-programming reduction, while 
Proposition 4 states that any randomly-programming reduction implies a reduc- 
tion in the WPROM. Besides being convenient in proving results (the WPROM 
typically being easier to work with), the equivalence provides some evidence 
that this formulation of limited programmability is well-founded. The results 
discussed next point to this as well. 

Implications for Practical Schemes. We put these new tools to use by 
reconsidering security proofs of various important schemes. These schemes can 
be viewed as initial and interesting case studies; we expect that one can use 
our techniques readily to analyze the need for programmability in many further 
schemes. 

A first example is FDH signatures. The only known security proofs [1, 7] 
use reductions that embed a challenge range point for the underlying trapdoor 
permutation in one (or more) of the hash query responses. It may be, though, 
that a clever reduction exists that does not rely on programming. We give formal 
evidence that this is unlikely: Theorem 4 states that no BB reduction exists 
that shows FDH is secure in the WPROM, even for a very weak definition of 
unforgeability. Even if the intuition is clear that programming plays a significant 
role in existing reductions, we emphasize that proving the inability to give a 
reduction here is technically involved. Previous negative results use inherently 
asymptotic methods to achieve black-box separations in the uniform setting. 
Instead, our proof of Theorem 4 makes use of a novel approach that is non- 
asymptotic in nature. This result is complementary to existing negative results 
about FDH, e.g. [8]. (See the full version for additional discussion.) 

A more involved example is Shoup’s TDP-KEM [15]. Shoup’s (IND-CCA) se- 
curity proof does not involve embedding a challenge in the output of the RO, but 
rather programming is used to ensure consistency between simulation of a de- 
capsulation oracle and simulation of the RO. We show the following surprising 
result: Shoup’s TDP-KEM is CCA-secure in the WPROM (Theorem 2), but no 
non-programming BB reduction exists for showing CCA-security (Theorem 3). 
The negative result is even more complex than in the FDH case, involving several 
interesting technical hurdles (e.g. dealing with the fact that reductions can rewind 
adversaries, explicitly allowed in our non-programming reduction framework). 

We also observe that OAEP [2] is an example of a scheme whose proof requires 
no programming whatsoever. This is actually evident by inspection of the proof 
given in [9]. We give the details in the full version, where all proofs omitted due 
to space constraints can also be found. 

Discussion. Note that proving security with limited or no programming (still) 
only provides heuristic evidence for security. That said, it could be the case that 
proofs in the WPROM or that use a non-programming reduction provide a better 
heuristic than the ROM. While this would hold for any weakening of the ROM, 
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we feel that programmability is a particularly interesting case due to its apparent 
artificiality. Note, for example, that one can actually run a non- programming 
RO reduction when a concrete hash function (e.g. SHA-256) is used to realize 
the RO. This is not true for fully or randomly-programming reductions. 

Further Related Work. Hofheinz and Kiltz [10] offer some insights on pro- 
grammability from a completely different angle. Generalizing a technique due 
to Waters [16] , they built standard-model hash functions that provide a limited 
form of programmability. Unfortunately, their hash functions are not sufficiently 
programmable to admit the techniques used in security arguments for ROM 
schemes like FDH and Fiat-Shamir. Nonetheless, their work indicates that a 
better understanding of programmability could lead to more broadly applicable 
standard-model solutions. 

2 Reduction-Centric Models 

In this section, we first formalize at an abstract level the general concept of a 
black-box reduction in the random oracle model. Furthermore, we present two 
variations of the black-box reduction notion where the reduction’s capabilities 
in programming the random oracle are restricted. 


2.1 Preliminaries 

We begin by establishing notation and execution semantics for algorithms and 
oracles. 

Oracle Access to Adversaries. We model all algorithms (e.g. adversaries 
and reductions) and ideal primitives (e.g. random oracles) as interactive Turing 
machines (ITM). In particular these machines can be probabilistic and can keep 
state. Each machine may have several communication tapes, which we usually 
call interfaces, that connect different machines to each other. We write A^ to 
denote an ITM A with an interface that expects oracle (i.e. black-box) access to 
some other ITM. A reduction B with oracle access to adversary A^ (denoted 
as B- 4 ' ) ) is allowed to do the following: 

— At any time, B can start a copy of the algorithm A^ on (chosen) random- 
ness and input, where the random coins are those used to compute the first 
output (or oracle query). 

— Once such a copy is started, B obtains each value output by A and must 
provide both the corresponding answer and the random coins needed for 
the execution of A to continue to its next output. (This includes queries to 
the given oracles.) 

— At any point in time, B may halt the execution of the current copy of A. 
Note that the model is general enough so that B can, for example, “rewind” the 
adversary A to an arbitrary output by running a new copy of A with previously 
given coins. 
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We stress that if we write that B is given oracle access to A° for a particular 
oracle O (as opposed to A^), then B does not get to answer M’s queries to O. 
Queries are sent directly to, and answered directly by O itself. We write (for 
example) A ( ^ 0) when we wish to be explicit that queries to the first oracle are 
controlled by B, and the second are not. Sometimes we will simply omit some of 
the oracles which are controlled by B: the understanding is that any oracle which 
is not explicitly given to A in our notation can be controlled by the reduction. 

Finally, we write A° rmh to mean the following: when A queries x to O, x is 
forwarded to B, which can then perform some computations, call other oracles, 
and only after this triggers delivery of 0(x ) to A. The answer is however given 
by O directly (but visible to B) and there is no way for B to influence it directly. 2 
This construct will be useful in a number of contexts. 

Security Properties. It is convenient to consider generic security properties 
77 for cryptographic primitives defined in terms of games involving a candidate / 
(called a 77-candidate) and an adversary A (called a 77-adversary). In particular, 
with each triple /, A and 77 we associate an advantage Advjf {A), and / is said to 
be 77-secure if Adv (A) is small for all efficient adversaries A. It is convenient 
to assume that the advantage satisfies the following linearity condition: if an 
oracle O behaves as 0\ with probability p and as O 2 with probability 1 p, 
then Advjo ( A° ) = p- Adv^ 0l {A 0l ) + (1 — p) ■ AdvJ?o 2 (A° 2 ) for every (oracle) 
primitive / and all adversaries A. Despite there being a few advantage notions 
that do not satisfy this property (e.g. distinguishing advantage with absolute 
values), an equivalent notion satisfying this property can typically be given (e.g. 
dispense with the absolute values). 


2.2 Black-Box Reductions in the ROM 

When we talk about black-box reductions, we mean fully black-box security re- 
ductions as defined by Reingold et al. [14]. Those reductions are paramount 
in cryptography, especially for random-oracle based schemes with practical effi- 
ciency as a design goal. 

We present in Definition 1 below our formalization of fully-black-box reduc- 
tions in the ROM, as well as our two variants with limited and no programma- 
bility of the random oracle, which we first introduce in detail. 

Fully-Programming Reductions (FPRed). The first notion formalizes the 
standard concept of black-box reductions in the ROM. As they support the 
common strategy of programming the ROM without any restriction, we refer 
to such reductions as fully-programming reductions. 

Non-programming Reductions (NPRed). The first (stronger) new notion 
that we introduce captures the fact that the reduction has no control at all 
on the answers of random oracle queries. Namely, the queries are answered 
by a random oracle which is chosen once, independently from the reduction 

2 But the answer may be influenced through queries to related oracles. 
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B and its input (s), and remains the same for every execution of an adver- 
sary A initiated by B. While the reduction B can learn all of the RO-queries 
issued by A, there is no way for B to influence their distribution. Intuitively, 
this models the fact that the reduction can be run with an external random 
oracle. 

Randomly-Programming Reductions (RPRed). Our second variant only 
allows the reduction B to program the RO with random instead of arbi- 
trary values, and is hence somewhat between fully- and non-programming 
reductions, To this end, we first introduce a randomly-programmable ran- 
dom oracle (RPRO) which is an idealized object that exposes three inter- 
faces: R e vai, Rrand, Rprog (a conventional RO can be seen as having a single 
interface to callers). If called via the evaluation interface R eV ah it behaves 
as a conventional random oracle mapping Dom — > Rng. A second random 
interface R ran d implements a random mapping {0, 1}* — > Rng. Finally, the 
programming interface R pr0 g takes X g Dom and Y g {0, 1}* as input, and 
sets R eva i(X ) to be the same as R ra nd(Y). 

As A’s queries to the evaluation interface of R eva i are public, the reduc- 
tion B is allowed, on query X by A, to perform a number of R ran d calls 
followed by a suitable R vrog ( X , Y) invocation in order to let the output of 
A’s query satisfy a certain property before the query is actually answered to 
A. This allows a minimal amount of programmability, for instance a constant 
number of output bits can be forced to take some input-dependent value. 
We note that these interfaces allow to “reprogram” the random oracle. This 
supports, among other things, the ability to rewind the adversary and run it 
on “another” , partly consistent random oracle, but where the reduction does 
not need to choose the actual values. Note that non-programming reductions 
prevent such forking techniques. 

In the following, let S = S R [f] be a cryptographic scheme relying on a primitive 
/ and a random oracle R : Dom — > Rng. Let 17 and II' be security properties 
which can possibly be satisfied by S and /, respectively. 

Definition 1 (FPRed, NPRed, RPRed). Let X g {fully-programming, 
non-programming, randomly-programming}. A (II — *■ II' ,6,t,qo,qA)-fully-BB 
X ROM security reduction for S is an oracle machine B ( ’’) with the property 
that for all 3 II -adversaries A^ and all II' -candidates f, if 

Adv£ R [f] (A R ) > e 

for a random oracle R : Dom — > Rng and e > 0, then 
Advf{B 0l ' A ° 2 ) > 5(e,q,£), 

where q is the total number of queries A makes and l is the overall length of these 
queries. Furthermore, B runs in time t, makes qo queries to the given oracle(s) 

3 In particular, including those which are not efficiently implementable. 
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0\ and runs qA instantiations of A® 2 , where all three quantities are functions 
of e, q , and £. Moreover, when: 

X = fully-programming, then O i = f , O2 = (•), and qo = qF 
X = non-programming, then 0\ = (/, R), O 2 = R pu b, and qo = (qf, (Jr) 

X = randomly-programming, then 0\ = (/, R' eva i, R' pr ogi P-'rand.) > 

O 2 = R’evai, pub> and QO = |f F^ev^pr^ra), 
where R' = {R' eva i, Rprog- P’rand) a RPRO. 


2.3 Black-Box Separations 

This paper uses a novel approach in order to obtain black-box separations in 
the concrete setting. The approach applies to all notions of reductions defined 
in this paper, but we illustrate it in the context of FPRed reductions. In order 
to disprove the existence of a fully-BB reduction within a certain class of re- 
ductions, for every reduction B of interest, we have to prove the existence of a 
il'-candidate / and an adversary A such that AdvgB^A^) is large, but the 
advantage Adv" (B^- 4 ' ' J is small. We will achieve this by first showing the 
existence of a randomized TJ'-candidate F and an adversary Ap with private 
random coins P (i.e. not controllable by B) such that Adv^njpjfA^) is large 
for all values p of the random coins P and for all (fixed) primitives / obtained 
by fixing the coins of F, but Adv^ (B f a p ’ ) is small for all reductions B of 
interest. Because of the linearity of the advantage measures, we have 

Adv) l '(B KA ^)=F pJ [Advf (B^’jJ, 

where the expected value is taken over the choice of the private coins p and 
the primitive / realized by F (with the corresponding probability distributions, 
which may in the general case even be correlated). Therefore, for all reductions B 
of interest, there must exist some particular / and some adversary A := Aj/' 1 
without private coins such that Adv^ (B-b- 4 ( ) ) < Adv^ (B^- 4 ^ ’ ) ) is small, too. 
Hence, such a statement (for randomized primitives) also implies the inexistence 
of a reduction working universally for all primitives: in particular, there is no 
need to apply well-known classical asymptotic (and uniform) de-randomization 
techniques based on the Borel-Cantelli lemma. To the best of our knowledge, 
this approach is novel to this paper. 

3 The Weakly Programmable ROM 

In the previous section programmability (or the lack thereof) is captured by 
considering a restricted set of reductions; from the point of view of the adversary 
being employed by the reduction, nothing has changed. In this section we take an 
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subroutine R p hon (X): 

subroutine R p dv (X): 

if T[X] ^ J_ then ret T[X] 
r <— * Coins ; 2 <— p(r) 
T[X]-2;R[X]<— r 
ret T[X] 

if T[X] ^ T then ret T[X],R[X] 
r <— * Coins ; 2 <— p(r) 

T[X] <- 2 ; K[X] <- r 
ret T[X],R[X] 


Fig. 2. The weakly-programmable random oracle ideal primitive R p for p : Coins — > 
Rng. Initially T[X] = _L for all X. 


alternative approach, modifying the random oracle itself rather than restricting 
the reduction. 

Consider a random oracle as a mapping from Dom to Rng, where Rng is 
finite and non-empty. Since we model ideal primitives by stateful and proba- 
bilistic interactive Turing machines we can imagine the random oracle as be- 
ing implemented via so-called lazy sampling: whenever a new query X e Dom 
appears, the random oracle returns a random value z <— * Rng and stores the 
pair (X, z) for further use. We now restrict the way the random oracle’s an- 
swers z are determined. Namely, we parameterize the random oracle by a func- 
tion p : Coins — > Rng for a finite, non-empty set Coins. Each time the random 
oracle receives a new query X it picks r <— * Coins at random and returns z = p(r) 
and stores X together with r. 

Now, recall that an ideal primitive can have multiple interfaces. In what fol- 
lows, we consider two: an honest interface for use by honest parties and protocols; 
and an adversarial interface. Loosely, the latter will give the adversary an ability 
to “validate” that the random oracle is behaving properly. Formally, we give the 
following definition of a (p-restricted) weakly programmable random oracle. 

Definition 2 (WPRO). For a function p : Coins — * Rng the ideal primitive 
R p = {R p hon , R^i v ) described in Figure 2 is called a p-WPRO (or simply WPRO 
if p is implicitly clear). 

Notice that the honest interface of this object returns the range point z associ- 
ated with the queried input. The adversarial interface returns both that range 
point and the random value r used to generate 2. 

At this point we have not imposed any restriction on p. For example, if p 
is the identity function (and Rng = Coins ) then the resulting ideal primitive is 
equivalent to a normal random oracle. On the other end of the spectrum, if p is a 
constant function then it is clear that R p would not model an ideal cryptographic 
hash function. Thus we establish what it means for a function p to be good. 


Definition 3 (Good p). A function p : Coins — > Rng is called good for Rng 
if and only if: (1) Coins is finite, (2) |Rng| divides \ Coins | and (3) p is regular, 
i.e. for all y € Rng we have 


|{r e Coins : p(r) = y}\ = 


| Coins | 

"W 
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Clearly any good p is such that, when evaluated on a uniformly chosen domain 
point, one gets a uniform range point. (And conversely, if a uniform distribution 
on the domain of p induces a uniform distribution on the range, p is good.) Said 
another way, a random oracle R : Dom — > Rng and WPRO /?(| on (with matching 
domain and range) are information-theoretically indistinguishable if and only if 
p is good for Rng. 

It is easy to see that various kinds of functions p will limit a reduction’s ability 
to program. For the scenarios we consider, the crucial property of p that make the 
reductions — the proof of security — fail, is one-wayness of p (but stated in the non- 
asymptotic setting via an upper bound on an algorithm’s inversion probability). 
For any function p and owf-adversary A we define the owf advantage as 
Adv° wf (A) = Pr [ p(r) = p(r') : r <— s Coins ; r’ <— * A{p{r)) } 
where a owf-adversary A is a probabilistic algorithm that takes as input a point 
y e Rng and outputs a domain point x £ Coins. 

One-wayness of p ensures non-programmability in the following sense: Con- 
sider for example a security reduction like the traditional one for FDH. This 
reduction receives a random image y under a trapdoor permutation and, at 
some point, injects this value as the hash value in a black-box simulation for 
an allegedly successful adversary. But since the adversary can access the R p adv 
interface, the reduction would also need to provide a preimage of y under p, 
violating the one-wayness of p. 

Reductions in the WPRO Model. One can straightforwardly define a WPRO 
model (WPROM) by analogy to the ROM (all honest parties have access to Rhon, 
adversarial parties have access to R a dv), and the notion of a black-box reduction 
naturally extends to this model. In particular, we consider a strong notion of 
reduction that allows any good function p, regardless of whether p is efficiently 
computable or not. 

Definition 4 (WPROM Reduction). A (17 — > II', 6, t, q p , qF, q^-fully-BB 
WPROM security reduction for S is an oracle machine B^' 1 '’') with the prop- 
erty that for all II -adversaries A^'\ all good functions p for Rng, and all II'- 
candidates f, if 

for a p-WPRO R p = (Rf lon . R artv ) with range Rng and e > 0, then 
Advf (B > S(e,q,£), 

where q is the total number of queries A makes and l is the overall length of 
these queries. Furthermore, B runs in time t, makes q p and qF queries to the 
given p and f, respectively, and runs qA instantiations of A^'\ where all three 
quantities are functions of e, q, and l. 

Since the reduction notion quantifies over all good p, a reduction must work for 
one-way p. Indeed, it must also work for a p chosen randomly from the set of 
all functions Coins — > Rng. In this way reductions must avoid making use of 
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FDH-style programming: a reduction cannot inject a specific range point into 
one of WPRO’s responses. As we will see in the next section, however, one can 
take advantage of more limited programming techniques in the WPRO model. 

Although all the WPROM reductions given in this paper are fully black-box as 
per the definition above, we emphasize that the WPRO model is distinct from the 
formulations in Section 2 in that one can give non-black-box reductions in it. 


4 Relationships among Types of Reductions 

Having specified our reduction settings, we now establish the relationships among 
them. We begin by stating the intuitive implications: a non-programming BB 
reduction implies a randomly programming one, which in turn implies a fully 
programmable reduction. The straightforward proofs are omitted. Let S = S? )R 
be a scheme relying on a cryptographic primitive / and a random oracle R : 
Dom — > Rng. Let 77 and II' be security properties which can possibly be satisfied 
by S and /, respectively. 

Proposition 1 (NPRed =>■ RPRed) . If there exists a non-programming 
(77 — > 77', S, t, q F , q R , q A )-fully-BB ROM security reduction for S, then there 
exists a randomly-programming (77 — * II' ,6,t,q F ,q R ,0,0,qA)-fully-BB ROM 
security reduction for S. 

Proposition 2 (RPRed => FPRed). If there exists randomly-programming 
(77 — * 77', 6, t, q F , q ev , q pr , q m , q A )-fully-BB ROM security reduction for S, then 
there exists a fully-programming (77 — > II' ,5,t' ,q F ,qA)-fully-BB ROM security 
reduction for S, where 4 t' = t + 0(qlogq) for q = q ■ qA + q e v + Qpr + Qra- 

Next we show that schemes are secure in the WPRO model via a black-box 
reduction if and only if there is a randomly-programming reduction. Hence, 
restricting the random oracle in the WPRO sense, and restricting the reduction's 
abilities to program a full-fledged random oracle, are equivalent in a black-box 
sense. The first result, in particular, exploits the fact that a fully-BB reduction 
in the WPROM must also work for a randomly chosen (regular) function p. 

Proposition 3 (WPROM Red =>■ RPRed). If a (77 — > 77' ,S,t,q p ,q F ,qA)- 
fully-BB WPROM security reduction for S exists, then a randomly-programming 
(77 — > 77', 8' ,t' ,q F ,q - qA,q - Qa,Q p + q - Qa, QA)-}ully-BB ROM security reduction 
for S exists, where 6' = 5 — ^ 2 |Dom^ an< ^ t' = t + ®{q • ^)- 

Proposition 4 (RPRed =>■ WPROM Red). If there exists a randomly- 
programming (77 — > 77', <5, t, q F , q ev , q pr , q ra , q A )-fully-BB ROM security reduc- 
tion for S, then a (77 — > II' ,6, t', q F , q' p , QA)-fully-BB WPROM security reduction 
for S exists with t' = t+ 0((q ■ qA • log(g • qA) • 7 ) and q' p = q ■ qA + Qev + Qpr + Qa- 

4 The extra overhead 0(qlogq) is due to the simulation of the RPRO in the reduction. 
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WPROS ARE NOT ROS, BUT WPROM AND ROM ARE EQUIVALENT. Below 
we will confirm the expected implication that being a WPRO is actually a weaker 
requirement than being a full-fledged RO. Yet existentially WPROs and ROs are 
equivalent, i.e. we can efficiently construct a RO out of a WPRO. 

For these comparisons we adopt the indifferentiability framework of Maurer, 
Renner and Holenstein [12] to reason about primitives being close to random 
oracles. We denote by Adv™‘^ I ^(I>) the advantage any distinguisher V has 
in distinguishing between a construction C with component H, and an ideal 
primitive “R” (with an intermediary simulator S). We denote by the superscripts 
“RO” and “WPRO” in the advantage the fact that the ideal primitive “R” is a 
random oracle or a WPRO. 

First, we derive a WPRO that is not a RO, i.e. it is easily differentiable 
from a random oracle. This serves to show that in general WPROs and ROs 
are separated. Consider the composition C R (x) = p(H(x)) of a random oracle 
H : Dom — > Coins and a regular one-way function p : Coins — * Rng. In this 
case, any simulator S would have to invert p for a sound simulation. 

Proposition 5 (WPRO ^ RO). For any function p that is good, for Rng, for 
the construction C R (x) = p(H(x)) there exists a simulator S^ PRO such that 

Adv ™--(I>)= 0 

for any distinguisher V, but where there exists a distinguisher D RO such that for 
any simulator S, 

Adv™ (V RO ) > 1 - Adv° wf (<S). 

Despite this generic separation, it is possible to build a (fully programmable) 
random oracle out of a WPRO, essentially building RO outputs one bit at a 
time. Specifically, for x £ {0, 1}* let x | , denote the ith bit of x. Given a function 
H : {0, 1}* —» {0, 1 for some i > 1 we consider the construction C H : {0, 1}* — > 
{0, l} m such that 

C H (x) = ROrlKl})!! II jy(*||<2»| 1 II • • • II ff(*||<m»| 1 „ 

where || denotes concatenation of strings and (i) is the (suffix- free) binary en- 
coding of an integer i. Note that the construction calls H altogether rn times 
to achieve output length rn; one can improve the efficiency by outputting more 
bits in each iteration at the cost of tightness in the reduction. Furthermore, due 
to the sufhx-freeness of (•) one can always decide if a given string is of the form 
a;||(i) for some i £ N. 

Theorem 1 (WPROM ROM). For all good functions p, all integers r > 
0, and a WPRO R p = {R^ dv , R ^ on ) : 1}* “ > (0) 1 Y there exists a simulator 

S PtT such that for all distinguishers V issuing at most q queries to each oracle 
we have 


AdvQ^° p t (V) < q ■ 2 
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where the simulator <S PjT invokes R at most once on each query and has running 
time 0 (t ■ (Time p + Timecoins))> where Time p and Timecoms are the times needed 
to compute p and to sample a random element from Coins, respectively. 

5 Trapdoor-Permutation-Based Key-Encapsulation 
5.1 TDP-KEM Security in the WPROM 

A key-encapsulation mechanism (KEM) is a triple of algorithms denoted KEM = 
(Key, Encap, Decap) that operate as follows. The probabilistic key-generation al- 
gorithm returns a key-pair (pk,sk); we write ( pk,sk ) <— * Key. The (key) encap- 
sulation algorithm Encap is a probabilistic algorithm that takes pk as input and 
returns a key-ciphertext pair (K, C) where K £ 1C for some non-empty set 1C. 
The (key) decapsulation algorithm takes as input a pair (sk, C) and determinis- 
tically outputs a key K e 1C or the distinguished symbol T to denote invalidity 
of ( sk,C ). For proper operation, we require that for all pairs ( pk,sk ) generated 
by Key, if ( K,C ) <— * Encap(pk) then K <— Decap(sk, C). 

Let KEM = (Key, Encap, Decap) be a KEM, K be a non-empty set, and A be 
a KEM adversary. The security of KEM, in the WPRO model of hash function R 
with underlying function p, against an adversary A is defined by the following 
experiment: 


E x Pkem ,flf p (A) 

(pk, sk) <— * Key; b <— $ {0, 1}; 

y <— * ^Decap(sk,0,li2j r , (')iEncap(pi,6,.) (pjf) 

if y = b then return 1 else 0 


The Decap (sk, •) oracle performs the decapsulation algorithm upon its 
input and returns the result. The Encap(pk, b, •) oracle takes as input a dis- 
tinguished symbol Run, picks Kq <— $ 1C, runs the encapsulation algorithm to 
produce ( K\,C ) <— * Encap(pk), and returns the challenge (A;,, C). The encap- 
sulation oracle can be queried only once by the adversary. We then define the 
KEM-CCA advantage of adversary A in breaking the KEM scheme via a chosen- 
ciphertext attack as Adv^^^^A) = Pr[ExpK^"' < )^ p (.4) = 1] — 1/2, where A 
is forbidden to ask the challenge ciphertext C to its decapsulation oracle. 

TDP-based KEMs in the WPRO Model. We recall that a trapdoor permu- 
tation with domain Dom is a triple TV = (G, F, F) of efficient algorithms such 
that G returns a pair (pk, td), consisting of the public key and the trapdoor, 
with the property that F(pk, •) implements a permutation f p k : Dom —> Dom, 
whereas F(td,-) implements its inverse /*(■)■ Consider key encapsulation mech- 
anism TDP-KEM r [TV] = (Key, Encap, Decap) based on a TDP TV = (G, F,F) 
with domain Dom and a WPRO R p : Dom — > 1C for some underlying good func- 
tion p mapping Coins to 1C, where 1C is some non-empty set. The key generation 
algorithm is defined by Key = G, so it returns a pair (pk, td). The encapsulation 
algorithm on input pk samples x <— * Dom, sets K <— i?/ on (x) and C <— F(pk, x), 
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and returns (K,C). The decapsulation algorithm on input ( td,C ) computes 
x <— F(td, C), sets K <— * Rf on {x) and returns K. 

The KEM-CCA security of this scheme is tightly bound to the OWF security 
of the underlying TDP. Our proof largely mirrors the one given by Shoup [15] 
for RSA-KEM in the ROM. 

Theorem 2 (WPROM Reduction for TDP-KEM). Let TV = ( G,F,F ) be 
a trapdoor permutation with domain Dom. Let TDP-KEM R [TV] = (Key, Encap, 
Decap) be the TDP-based KEM described above. Let p be good for the non-empty 
set K, and let A be an adversary suitable for Expj'^'kI'mjj^.A) asking qn 
queries to its decapsulation oracle, qR queries to the WPRO and running in 
time t. Then there exists an adversary B = B p ’ F " A ('l such that 

AdVTDP^KEM.fi^^) < 2 • Adv^(B) + | 

where B uses a single instantiation of runs in time at most t + qlogq ■ 
(Time*? + Tirne^, + Timecoms + Time*;) for q = qD + qR + 1 and Timex denotes 
the time to execute algorithm X or to sample from set X. 

Here we give a very brief overview of the proof. The reduction is required to invert 
the TDP on some challenge range point C* , and it will embed this challenge 
along with a random key K as the response (K, C*) to the KEM-adversary’s 
encapsulation query. Despite not having access to the trapdoor information, the 
reduction can answer decapsulation queries by (randomly) programming the 
WPRO to p(r), where r is uniform. This simulation is correct, and can easily be 
made consistent with WPRO queries, except in the case that Decap is queried on 
the TDP challenge point C*. This case accounts for the qo/\Dom\ term in the 
bound. Barring that case, the KEM-adversary wins its game only by querying 
the WPRO on the preimage of C*, in which case the reduction succeeds to invert 
its challenge. 

5.2 TDP-KEM Is Not Provable under Non- programming Reductions 

In the proof of Theorem 2, a weak form of programmability is needed to allow 
for consistent simulation of the decapsulation oracle. Namely, the reduction may 
need to return a random key K £ K. for a decapsulation query C , because it 
does not know the associated preimage r of C under F(pk. •). Consequently, if 
the adversary queries the random oracle with input r at a later point in time, its 
output is programmed to K. This fact makes TDP-KEM amenable to an attempt 
to entirely avoid programmability, e.g., by means of rewinding techniques. Yet, 
any such approach is doomed to fail: we prove that TDP-KEM cannot be proven 
secure with respect to non-programming fully-BB reductions, hence showing that 
TDP-KEM is a scheme which necessarily requires a mild type of programmability. 

This is summarized by the following theorem. Note that the result requires 
f /_4 < 2 q ~ 1 : For a small number of adversarial queries q a reduction may indeed 
be feasible (e.g. using rewinding). Yet, for acceptable values of q the value 2 9_1 is 
too large for an efficient reduction to be allowed to issue more than 2 9_1 queries. 
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Theorem 3 (Non-programming Irreducibility for TDP-KEM). 

Let TDP-KEM' R [TT , | = (Key, Encap, Decap) be the TDP-KEM scheme with key 
space K, relying on a trapdoor permutation TV — ( G,F,F ) with domain Dom 
and public-key /trapdoor space (0, l} fe , as well as on a random oracle R : Dom — > 
1C. Then, for allt,q> 0, alle< and all (kem-cca — > owp, 6, t, ( qa , qF-,qp?), 

qR,qjf)-fully-BB non-programming reductions B for TDP-KEM, we have 


S(e,q,q- log \Dom\) < 


(hAQ + 1 ) ■ ( 2 QAq + Qf + qn + 1 ) 
| Dom | 


QAq qc + Of 
|/C| + 2 fc 


where qc, qF, <tp, and qn are the number of queries of B to the respective oracles, 
and q_A < 2 q ~ 1 is the number of adversarial instances run by B. 


We provide a high-level description of the proof. We rely on an ideal trap- 
door permutation TV = TV ^ = ( G,F,F ) defined using the oracles T = 
(T t ,Te,T e - i): The oracle T initially chooses a keyed family of random per- 
mutations E : (0, l} k x Dom — > Dom (in other words, E(pk, •) is a random 
permutation for all fc-bit pic), as well as a random permutation r that asso- 
ciates to each fc-bit trapdoor td a corresponding public key pk = r(td). The 
oracles S T and Te allow direct evaluation of r and E, whereas the oracle T E - 1 , 
on input ( td,y ) computes E~ l (r(td), y). The associated trapdoor permutation 
TV ^ = ( G,F,F ) is such that the generation algorithm chooses a random 
uniform trapdoor td <— * (0,l} fe , and sets the public key pk <— r(td). Further- 
more, the algorithms F^ and F simply call Te and T E -\, respectively, with 
their inputs, and return the corresponding output. Note that, even given the 
public key pk, in order to be able to use T E - 1 f° r inversion of F(pk, •) we are 
required to guess r~ 1 (pk) given only access to r, which is of course infeasible 
(at least without an extra oracle). 

We show that there exists a deterministic adversary A making q queries from 
Dom (and hence of length log |Dom| bits each) and accessing an oracle O : 
{0,1}* —*■ Dom such that Ad « [ TP j. R {A°’ rv,R ) > 1 — ^ for all TV 
and O, but whenever O is a random oracle and TV = TV^ , then 

A A,.owf (D TV.R.A°’ TV ' R ^^ / (qM + !) • (2 QAQ + q F + q R +l) , qAQ , QG + <tp 

Adv ^ (B 1 s 

for all reductions B as in the statement of the theorem, where in particular B can 
run q_A instances of A answering both its encapsulation and the decapsulation 
queries. The statement of the theorem is obtained by derandomizing T and O 
as described in Section 2.3. 


Adversary Description. Ideally, we would like the (inefficient) adversary A 
to be capable of determining whether it is being run in the actual kem-cca- 
game, or whether it is being used by the reduction B in order to break the one- 
wayness of the underlying trapdoor permutation TV. A naive approach consists 
of letting A, on input the public key pk, choose a random r <— * Dom and compute 
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C <— F(pk, r): the adversary subsequently asks C to the decapsulation oracle, 
obtaining a value K. Finally, it issues a query r to the random oracle R, and 
checks whether R(r) = K. In the affirmative case, it assumes that it is being 
used in the actual kem-cca-game, and proceeds in breaking the scheme, e.g., by 
inverting F(pk, ■) on the challenge ciphertext and guessing the bit b by making 
an additional random oracle query. Otherwise, A just outputs a random guess. 
Intuitively, since B is efficient, it cannot retrieve r given only C, and thus must 
give some independent answer K' back to A's decapsulation query, such that 
,4’s check will then fail. 

This argument, however, has two major fallacies. First, the randomness of A is 
determined by B, and thus r is chosen (and known) by B. Second, even provided 
a way for A to issue a decapsulation query for a ciphertext C with preimage r 
unknown to B, the reduction B can still first run A by giving a random answer 
to the decapsulation query, up to the point where the random-oracle check fails, 
and hence finding out r (as it is queried to R vu b). It subsequently rewinds A so 
that the same query C is issued, for which now B knows the right answer R(r). 
This allows B to invert the underlying TV, by just giving the challenge output 
y as the challenge ciphertext to ,4’s encapsulation query. 

We overcome both these problems by using a random oracle O : {0, 1}* — > 
Dom and considering the following adversary A: On input the public key pk, it 
asks a sequence of decapsulation queries Cu C 2 , ■ ■ ■ , Ot (for £ = q — 1), where 

Ci is computed by applying the random oracle to pk, to Ci, C\ 1 , and to 

the answers of the previous queries. (We assume that such inputs can injectively 
be mapped into bit strings.) Then, it checks the correctness of the answers 
Ke, 1 , ... in reverse order (as above, it checks whether iQ = R(F~ 1 (pk, Ci))), 
but stops checking as soon as the first inconsistency is found. (This is crucial for 
the analysis to go through.) Finally, it behaves as above depending on whether 
all checks have been successful or not. 

The main idea is that rewinding does not help when O is a random oracle, 
since (provided some unlikely events do not occur) the best strategy for B to 
build a run of an instance of A where the correctness check is always satisfied 
requires exponentially many (in £) executions of A. This is proven by showing 
an interesting connection to a tree-based, purely combinatorial, game. This ap- 
proach is similar to the schedule used by Canetti et al. [6] to prove a lower bound 
on the round complexity of black-box concurrent zero- knowledge proofs. 

6 FDH Is Not Provably Secure in the WPRO Model 

In this section we consider the traditional full-domain hash signature scheme and 
show that one cannot prove it secure under randomly-programming reductions 
only. 5 Hence, a stronger version of programmability is required. We carry out 
our proof in the WPRO model and the result follows for randomly-programming 
reductions by the equivalence. 

5 In fact, we prove the slightly stronger statement that not even a p-dependent black- 
box reduction in the WPRO model exists for any one-way good function p. 
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Full-Domain Hash. We briefly recall the FDH-signature scheme. The scheme 
FDH h [TV] = (Kg, Sign, Ver) is based on a trapdoor permutation TP = (G, F, F). 
To sign a message M £ Msg one computes a <— F(sk, H(M)) for hash function 
H : Msg — > Sig, and to verify one checks that F(pk, a) = H(M), where (pk, sk) 
are the keys generated through Kg. Below we consider a very weak unforgeability 
notion for FDH (called wsig), where the adversary has to forge a signature for 
a random message in a key-only attack. This strengthens our result as we show 
that even WPROM reductions from wsig to the one-wayness of the trapdoor 
permutation ( owp ) perform badly. 

FDH Cannot be Secure in the WPROM. We have the following result, 
which states that FDH cannot be proven secure (by a black-box security analysis) 
in the WPROM. 

Theorem 4 (WPROM Irreducibility of FDH). Let FDH R [TV] = (Kg, Sign, 
Ver) be the FDH scheme with message space Msg and signature space Sig, re- 
lying on a trapdoor permutation TV = ( G,F,F ) with domain Sig and public- 
key/trapdoor space {0, l} k , as well as on a random oracle R : Msg — > Sig. Then, 
for all t > 0, all e < 1, and all (wsig — > owp, 6, t, (qa, Qf, qp), dpi QA)-fully-BB 
WPROM security reductions B for FDH we have 6 

u QG + ctp q F + 2q A + q p + 2 

m ~ 2* | Sig | 

where qG,QF,qp , and q p are the number of queries of B to G,F,F, and p, re- 
spectively, whereas q A is the number of adversarial instances run by B. 

The proof adopts a variant of the two-oracle separation technique by Hsiao 
and Reyzin [11]. For T and the ideal (i.e. random) trapdoor permutation TV t = 

( G , F, F) defined as in the proof of Theorem 3, we define for all functions p, an 
oracle B = Bj v such that TV^ is one way relative to B as long as p is one 
way, yet there exists an adversary Mfdh forging an FDH-signature given ac- 
cess to B on any given message, i.e. it breaks FDH in the strongest possible 
sense. 

Roughly speaking, the oracle B allows inversion of F(pk, •) on each out- 
put y' whenever a preimage r' of y' under p is exhibited: This allows inver- 
sion of F(pk, ■) for any output of R p adv , and hence arbitrary forgeries in the 
WPROM. Yet, in the task of inverting F(pk, •) on a random y, coming up with 
a valid preimage of y under p is as hard as inverting p, and thus infeasible if 
p is one way. Therefore, the oracle B is only used to invert F(pk, •) for out- 
puts other than the random challenge, which does not help it to win the OWF 
game. 


6 We remark that wsig adversaries are only permitted to output one forgery, and 
perform no queries: the function 8 hence only depends on e without loss of generality. 
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Abstract. We construct non- interactive zero-knowledge arguments for 
circuit satisfiability with perfect completeness, perfect zero-knowledge 
and computational soundness. The non-interactive zero-knowledge argu- 
ments have sub-linear size and very efficient pubhc verification. The size 
of the non-interactive zero-knowledge arguments can even be reduced to 
a constant number of group elements if we allow the common reference 
string to be large. Our constructions rely on groups with pairings and 
security is based on two new cryptographic assumptions; we do not use 
the Fiat-Shamir heuristic or random oracles. 

Keywords: Sub-linear size non-interactive zero-knowledge arguments, 
pairing-based cryptography, power knowledge of exponent assumption, 
computational power DifRe-Hellman assumption. 


1 Introduction 

Zero-knowledge proofs introduced by Goldwasser, Micali and Rackoff m are 
fundamental building blocks in cryptography that are used in numerous proto- 
cols. Zero-knowledge proofs enable a prover to convince a verifier of the truth of 
a statement without leaking any other information. The central properties are 
captured in the notions of completeness, soundness and zero-knowledge. 

Completeness: The prover can convince the verifier if the prover knows a 
witness testifying to the truth of the statement. 

Soundness: A malicious prover cannot convince the verifier if the statement is 
false. We distinguish between computational soundness that protects against 
polynomial time cheating provers and statistical or perfect soundness where 
even an unbounded prover cannot convince the verifier of a false statement. 
We will call computationally sound proofs for arguments. 

Zero-knowledge: A malicious verifier learns nothing except that the state- 
ment is true. We distinguish between computational zero-knowledge, where 
a polynomial time verifier learns nothing from the proof and statistical or 
perfect zero-knowledge, where even a verifier with unlimited resources learns 
nothing from the proof. 

* Supported by EPSRC grant EP/G013829/1. 

M. Abe (Ed.): ASIACRYPT 2010, LNCS 6477, pp. .321 |.34o| 2010. 
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The first zero-knowledge proofs relied on interaction between the prover and 
the verifier. Many cryptographic tasks are carried out off-line though; for in- 
stance signing or encrypting messages. For these tasks it is desirable to have 
non-interactive zero-knowledge (NIZK) proofs, where there is no interaction 
and a proof just consists of a single message from the prover to the verifier. 
Unfortunately, only languages in BPP have NIZK proofs in the plain model 
without any setup [22121 j . However, Blum, Feldman and Micali [Jjj introduced 
NIZK proofs in the common reference string model, where both the prover and 
verifier have access to a common reference string generated in a trusted way. 
Such NIZK proofs have many applications, ranging from early chosen cipher- 
text attack secure public-key cryptosystems |17I38[ to recent advanced signature 
schemes mm. For this reason there has been a lot of research into the underly- 
ing assumptions [1912128] . the efficiency [1311 513 3E7| . and the security guarantees 
offered by NIZK proofs [1 (11381141 . 

NIZK proofs based on standard cryptographic assumptions used to be inef- 
ficient and not useful in practice. To get around this inefficiency, applied cryp- 
tographers have relied on the so-called Fiat-Shamir heuristic for transforming 
public-coin interactive zero-knowledge proofs into NIZK arguments by using 
a cryptographic hash-function to compute the verifier’s challenges. The Fiat- 
Shamir heuristic can give very efficient NIZK arguments that are secure in the 
random oracle model [£|, where the cryptographic hash- function is modeled as 
a random function. It is for instance possible to use the Fiat-Shamir heuristic 
to transform sub-linear size interactive public-coin zero-knowledge arguments 
[iT2] into sub-linear size non-interactive zero-knowledge arguments J1TH1 . Unfor- 
tunately, there are several examples of protocols that are secure in the ran- 
dom oracle model, but do not have any secure standard model instantiation no 
matter which hash-function is used M1QB4UB7I- Particularly relevant here is 
Goldwasser and Kalai’s |22| demonstration of a signature scheme built from a 
public-coin identification scheme that is secure in the random oracle model but 
insecure in real life. 

Recent works on NIZK proofs has used bilinear groups to improve efficiency. 
Groth, Ostrovsky and Sahai [3 012 9 j gave NIZK proofs for circuit satisfiability 
where the proof consists of 0(|Cj) group elements, with |Cj being the number of 
gates in the circuit. Their NIZK proofs have the property that they can be set 
up to give either perfect soundness and computational zero-knowledge, or alter- 
natively computational soundness and perfect zero-knowledge. Works by Boyen, 
Waters, Groth and Sahai [71812 313 Tj have explored how to build efficient NIZK 
proofs that are directly applicable in bilinear groups instead of going through 
circuit satisfiability. In some special cases, for instance in the ring signature of 
Chandran, Groth and Sahai HE. these techniques lead to sub-linear size NIZK 
proofs but in general the number of group elements in an NIZK proof grows 
linearly in the size of the statement. Abe and Fehr [TJ gave a construction based 
on commitments instead of encryptions, but since there is a commitment for 
each wire they also get a linear growth in the size of the circuit. 
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Looking at the NP-complete problem of circuit satisfiability, the reason the 
NIZK proofs grow linearly in the circuit size is that they encrypt the value of 
each wire in the circuit. Gentry’s new fully homomorphic cryptosystem j2QJ can 
reduce the NIZK proof to being linear in the size of the witness: The prover 
encrypts the inputs to the circuit and uses the homomorphic properties of the 
cryptosystem to compute the output of the circuit. The prover then gives NIZK 
proofs for the input ciphertexts being valid and the output ciphertext containing 
1. Fully homomorphic encryption only helps when the circuit has a small witness 
though; if the circuit has a linear number of input wires the resulting NIZK proof 
will also be linear in the circuit size. 


1.1 Our Contribution 

Micali’s CS proofs |2S| indicated the possibility of sub-linear size NIZK argu- 
ments, but despite more than a decade of research the Fiat-Shamir heuristic is 
the only known strategy for constructing sub-linear size NIZK arguments. Our 
goal is to introduce a new type of sub-linear size NIZK arguments where security 
does not rely on the random oracle model. 

We construct NIZK arguments for circuit satisfiability with perfect complete- 
ness, computational soundness and perfect zero-knowledge (see Section |2I for 
definitions). The NIZK arguments are short and very efficient to verify, but the 
prover uses a super-linear number of group operations. We first give an NIZK 
argument consisting of a constant number of group elements but having a long 
common reference string. We then show that it is possible to reduce the size 
of the common reference string at the cost of increasing the size of the NIZK 
argument making them simultaneously sub-linear in the circuit size. 

The soundness of our NIZK argument relies on the ^-computational power 
Diffie-Hellman and the g- power knowledge of exponent assumptions (see Section 
0. The g-CPDH assumption is a normal computational intractability assump- 
tion but the g-PKE is a so-called knowledge of exponent assumption. Knowledge 
of exponent assumptions have been criticized for being unfalsifiable |2Sj but the 
use of a non-standard assumption may be unavoidable since Abe and Fehr jlj 
have demonstrated that no statistical zero-knowledge NIZK argument for an 
NP-complete language has a “direct black-box” reduction to a standard crypto- 
graphic assumption unless NP C P / nolvfP 

1 Abe and Fehr do not rule out the existence of statistical NIZK arguments with non- 
adaptive soundness, where the adversary chooses the statement oblivously of the 
common reference string. Since the common reference string is public it is more nat- 
ural to define soundness adaptively though; indeed we do not know of any practical 
applications of NIZK arguments with non-adaptive soundness. 

2 The very assumption that an NIZK argument is sound seems to be unfalsifiable as 
well since even if an adversary outputs a false statement and a convincing NIZK 
argument it may be hard to verify that the statement is false. Groth, Ostrovsky 
and Sahai p03 circumvented this problem by defining co-soundness for languages 
in NP fl coNP, which is falsifiable since the adversary can produce a coNP- witness 
certifying that the statement is false. 
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Table 1. Comparison of NIZK proofs and arguments 



CRS size 

Proof size 

Prov. comp. 

Ver. comp. 

Assumption 

Groth ED 

Groth .27 

Gentry 1201 
G-Ostrovsky-Sahai 

PI2!1| 

Abe-Fehr []] 

Groth ESI 

0{\C\) G 
0(|0|) bits 
0(1) G 
0(1) G 
0(1) G 
0(1) G 
0(|0|s)G 

0(|C|) G 
0(|0|) bits 
\w\k° m G 
0(|0|) G 
0(|0|) G 
0(|C|) G 

o(|C|i)G 

0(|0|) E 
0(|0|) M 
|C|fc° (1) M 
0(|C|) E 
0(|0|) E 
0(|C|) E 
0(|C|) M 

0(|0|) M 
6(101) M 
|0|fc 0(1) M 
0(|0|) P 
0(|0|) E 
0(|C|) E 
0(|0|) M 

trapdoor perm. 
Naccache- Stern 

lattice-based 

pairing- 

knowledge of expo, 
random oracle 

This paper 

This paper 

0([CH G 
0(|C|t) G 

0(1) G 
0(|0|§) G 

oflon m 
0(|C|*) M 

0(|0|) M 
0([C|) M 

PKE and CDHP 

PKE and CDHP 


Table Q gives a comparison to other NIZK proofs and arguments for circuit 
satisfiability, where k is a security parameter, G stands for the size of a group ele- 
ment, M and E are the costs of respectively multiplications and exponentiations, 
and P is the cost of a pairing in a bilinear group (see Section 0 . 

Compared to other pairing-based NIZK arguments, our arguments are smaller 
and faster to verify. The prover uses a super-linear number of multiplications and 
the computational cost may grow beyond a linear number of exponentiations. 
The public verifiability means that the NIZK arguments are transferable though; 
they can be copied and distributed to many different entities that can do their 
own independent verification. The prover only pays a one-time cost for comput- 
ing the NIZK argument, while all verifiers enjoy the benefits of low transmission 
bandwidth and efficient verification. 

Perfect Zaps. The common reference string model assumes a trusted setup for 
generating common reference strings and making them available to the prover 
and verifier. In case no such setup is availably we can still get a sub-linear size 2- 
move publicly verifiable witness-indistinguishable argument where the verifiers 
first message can be reused many times, a so-called Zap (EJ, as follows: The 
verifier generates a common reference string. The prover verifies that the common 
reference string is well-formed (our common reference string is not a random bit- 
string, but it does have a certain structure that makes it possible to verify that it 
is well-formed) and can now make arbitrarily many Zaps using the verifier initial 
message as the common reference string. Since our NIZK argument is perfectly 
zero-knowledge, the Zaps will be perfectly witness-indistinguishable. 


1.2 Outline of Our NIZK Argument 

We will construct NIZK arguments for the existence of an input to a binary 
circuit C making it output 1. At a loss of a constant factor, we may assume C 
consists of NAND-gates. Furthermore, if we label the output wire a we may add 

3 We remark that even if the common reference string is adversarially chosen the sub- 
linearity of our NIZK arguments impose an information theoretic upper bound on 
how much information can be leaked. 
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a self-loop to the circuit consisting of a NAND-gate a = ~i(a A b ) forcing a to be 
1. This reduces the challenge to prove that there is an assignment of truth- values 
to the wires that respect all the N = \C\ NAND-gates in the circuit. 

The NIZK argument relies on length-reducing commitments where we commit 
to n values in a finite field using only a constant number of group elements. 
We will also use non-interactive arguments consisting of a constant number of 
group elements for proving the following properties about committed values: 

Entry-wise product: Commitments c, d, v contain values a\, . ■ ■ , a n , bi , . . . , b n 
and ui,...,u n that satisfy Ui = for all i. 

Permutation: Commitments c , d contain values a\,...,a n and b \ , . . . , b n that 
satisfy bi = a p (i) for all i, where p is a publicly known permutation of n 
elements. 

Let us sketch how commitments combined with these two types of non-interactive 
arguments give us a constant size NIZK argument for circuit satisfiability when 
n = 2 N. The prover gets as a witness for the satisfiability of the circuit ai , . . . , ajy 
and &i, . . . ,6/v such that a*, bi are the inputs to gate i and all the values are 
consistent with the wires and respect the NAND-gates. We use the convention 
that —1 corresponds to false and +1 corresponds to true, so if Ui is the output 
of gate i we have m — — aA- 

The prover makes commitments to the 2JV-tuples 

(ai, . . . , ajv, bi , . . . , 6jv) (&i, . . . , 6 jv, 0, . . . , 0) (— ui , . . . , — itjv, 0, . . . , 0). 

The prover gives an entry-wise product argument on the commitment to 
(oi, . . . , ajv, 6jv) with itself to show af = 1 and bf = 1 for all i. This 

shows that oi, . . . , ajy, b \, . . . , 6jv € { — 1 , 1} are appropriate truth values. 

An output of one NAND-gate may be the input of other NAND-gates, which 
means the corresponding values , . . . , , bj t , . . . , bj m have to have the same 

assignment. The prover picks a permutation p that contains cycles i\ — > fy — > 
. . . — y it — y ji + N —* j- 2 + N — > . . . — > j m + N —> i\ for all such sets of values that 
have to be consistent and gives a permutation argument on the commitment to 
(oi, . . . , ajv, bi , . . . , 6jv)- This shows for each set of values corresponding to the 
same output wire that a l2 = a ^, . . . , bj 1 = a ^,. . . , bj m = b Jm _ 1 so the values 
(<*i,..., aj v, bi , . . . , 6jv) are consistent with the wiring of the circuit. 

The prover uses additional commitments, entry-wise product and permutation 
arguments to show that the other committed values (6i, . . . , 6jy, 0, . . . , 0) and 
(— ui , . . . , — ujv, 0, . . . , 0) are consistent with the wiring of the circuit and the 
values (ai, . . . , ajv, &i, . . . , 6 jv), we refer to Section 0 for the details. 

Finally, the prover uses the entry-wise product argument to show that 
the entry-wise product of (oi, . . . , an, bi, . . . , 6iv) and (b%. . ... bjv, 0, . . . , 0) is 
(—u i, . . . , — un, 0, . . . , 0) so all the values respect the NAND gates. 

This outline shows how to get a constant size NIZK argument for circuit sat- 
isfiability, but to enable the entry-wise product arguments and the permutation 
arguments the common reference string has size 0(N 2 ) group elements. In Sec- 
tion E| we reduce the common reference string size by using commitments to n 
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elements where n < N. With n smaller than 2 N we need to give permutation 
arguments that span accross multiple commitments though. Using permutation 
network techniques we manage to build such large permutations from many 
smaller permutations. 

The technical contribution of this paper is the construction of an appropriate 
commitment scheme with corresponding non-interactive entry-wise product and 
permutation arguments. The commitment scheme is a variant of the Pedersen 
commitment scheme, where the commitment key is of the form (g,g x , ... ,g x ). A 
commitment to cq , . . . , a q is a single group element computed as 9 r xiUi9 x 'r- 

The nice thing about such a commitment is that the discrete logarithm is a 
polynomial r + J2i = 1 a i xl - When we pair two commitments with each other we 
get a product of two polynomials in the exponent. By taking appropriate linear 
combinations over products of polynomials, we can express entry-wise products 
and permutations as equations over the coefficients of these polynomials. The 
g-CPDH assumption then allows us to conclude that these coefficients are iden- 
tical and therefore the committed values satisfy an entry-wise multiplication 
relationship or a permutation relationship to each other. 

When pairing commitments (equivalent to multiplying polynomials in the 
exponent) there will be various cross-terms. The role of the non-interactive ar- 
guments will be to cancel out these terms. Usually, a single group element paired 
with g suffices to cancel out all the cross-terms, so the non-interactive arguments 
for entry-wise products and permutations are highly efficient themselves. 

To prove that our NIZK argument is sound, we need to reason about the 
coefficient of these polynomials. However, a cheating prover might create a com- 
mitment without knowing an opening of it. This is where the g-PKE assumption 
comes in handy: the prover gives non-interactive arguments demonstrating that 
it “knows” the openings of the commitments. By this we mean that there is an 
extractor that given the same input as the prover can reconstruct the commit- 
ments together with the openings of the commitments. 

2 Definitions 

Let R be an efficiently computable binary relation. For pairs (C, w) £ R we call 
C the statement and w the witness. Let L be the NP-language consisting of 
statements with witnesses in R. When we restrict ourselves to statements of size 
N, we write respectively Ljv and Rn . 

A non-interactive argument for a relation R consists of a common reference 
string generator algorithm K, a prover algorithm P and a verifier algorithm V 
that rim in probabilistic polynomial time. The common reference string genera- 
tor takes as input a security parameter k and the statement size N and produces 
a common reference string a. The prover on input (er, C, w) produces an argu- 
ment 7 r. The verifier on input (a, C , it) outputs 1 if the argument is acceptable 
and 0 if rejecting the argument. We call ( K , P, V) an argument for R if it has 
the completeness and soundness property described below. 
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Perfect completeness. Completeness captures the notion that an honest 
prover should be able to convince an honest verifier if the statement is true. For 
N = k orl 1 and all adversaries A outputting ( C,w ) £ Rn- 

Pr [ct «- K(l k , AT); (C, w ) A[a)\ tt *- P(a, C, w ) : V(a, C,n) = l] = 1. 

Computational soundness. Soundness captures the notion that it should be 
infeasible for an adversary to come up with an accepting argument for a false 
statement. For N = k° (l> and all non-uniform polynomial time adversaries A: 

Pr [<T «- K( l k , AT); (C, 7 r) «- A(o) : C $ L and V(a, C, <it) = l] w 0. 

Perfect witness-indistinguishability. We say a non-interactive argument 
( K , P, V ) is perfectly witness-indistinguishable if it is impossible to tell which 
witness the prover when there are many possible witnesses. For N = k° (l> and 
all stateful interactive adversaries A outputting (C, wq), (C, w i) G Rn- 

Pr [u v- K(l k , AT); (C, w 0 , w{) +~ A{&)\ tt ♦- P(a, C, w 0 ) : A(ir) = l] 

= Pr [a «- K(l k , AT); ( C , w 0 , Wi) +- A{&)\ tt ** P(a, C,w i) : A(n) = l] . 

Perfect zero-knowledge. An argument is zero-knowledge if it does not leak 
any information besides the truth of the statement. We say a non-interactive 
argument ( K , P, V) is perfect zero-knowledge if there exists a polynomial time 
simulator S = (Si, £ 2 ) with the following zero-knowledge property. Si outputs 
a simulated common reference string and a simulation trapdoor. S 2 takes the 
common reference string, the simulation trapdoor and a statement as input 
and produces a simulated argument. For N = k° (l> and all stateful interactive 
adversaries A outputting ( C,w ) £ Rn- 

Pr [a <- K(l k , AT); (C, w) A(a); n ** P(a, C , w) : A(n) = l] 

= Pr [(a, r) <— Si(l fc , AT); (C, w) <— A(a); n S 2 (a, r, C) : A( tt) = l] . 

3 Bilinear Groups 

Notation. Given two functions /, g : N — » [0,1] we write f(k) « g(k ) when 
| f(k) — g(k) | = 0{k~ c ) for every constant c > 0. We say that / is negligible 
when f(k) « 0 and that it is overwhelming when f(k) « 1. 

We write y = A(x: ; r) when the algorithm A on input x and randomness 
r, outputs y. We write y <— A(x) for the process of picking randomness r at 
random and setting y = A(x; r ). We also write y S for sampling y uniformly 
at random from the set S. We will assume it is possible to sample uniformly at 
random from sets such as Z p . We define [n] to be the set {1, 2, . . . , n}. 
Bilinear groups. Let Q take a security parameter k written in unary as input 
and output a description of a bilinear group ( p , G. Gt, e) •*— <3(l k ) such that 
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1. p is a fc-bit prime. 

2. G, Gt are cyclic groups of order p. 

3. e : G X G is a bilinear map (pairing) such that Vo, b : e(g a ,g b ) = e(g,g) ab . 

4. If g generates G then e{g, g) generates Gt- 

5. Membership in G , Gt can be efficiently decided, group operations and the 
pairing e are efficiently computable, generators are efficiently sampleable, 
and the descriptions of the groups and group elements each have size 0(k) 
bits. 

The security of our NIZK arguments will be based on two new assumptions, 
which we call respectively the (/-power knowledge of exponent assumption and 
the (/-computational power DifRe-Hellman assumption. 

The (/-power knowledge of exponent assumption. The knowledge of ex- 
ponent (KEA) assumption says that given g, g a it is infeasible to create c, c so 
c = c“ without knowing a so c = g a and c = ((/“)“. Bellare and Palacio JIJ 
extended this to the KEA3 assumption, which says that given g, g x , g a , g ax it is 
infeasible to create c,cso c= c a without knowing do, «i so c = g a ° (g x ) ai and 

2 = (g a ) ao (g ax ) ai ■ 

The (/-power knowledge of exponent assumption is a generalization of KEA 
and KEA3. It says that given (</, g x , . . . , g x9 , g a , g ax , . . . ,g axq ) it is infeasible 
to create c, c so c = c“ without knowing uq, , a q so c = Yli^ 0 {g x )° 4 and 

c=nu ? (9 axi ) ai ; 

We will now give the formal definition of the (/-power knowledge of exponent 
assumption. Following Abe and Fehr Q we write {y: z) *— (A || Xa){x) when A 
on input x outputs y and Xa on the same input (including the random tape of 
A) outputs z. 

Definition 1 (g-PKE). The q(k)-power knowledge of exponent assumption 
holds for Q if for every non-uniform probabilistic polynomial time adversary A 
there exists a non-uniform probabilistic polynomial time extractor Xa so 

Pr[(p,G,G T ,e)^S(l fe ) ; g^G\{lj ; a,x^Z* p ; 

a= (p,G,G T ,e,g,g x ,...,g xq ,g 0 ‘,g ax ,...,g axq ) ; 

(c,c; a 0 , . . . ,a q ) <- (A || X A )(a) : c = c“Ac / J| 5° iX * j » 0. 

4=0 

The g-coMPUTATiONAL power Diffie-Hellman assumption. The com- 
putational Diffie-Hellman (CDH) assumption says that given g,g@,g x it 
is infeasible to compute g® x . The (/-computational power Diffie-Hellman 
assumption is a generalization of the CDH assumption that says given 
(g,g x , ... ,g x ,g@, g ® x , . . . , g@ x ) except for one missing elements g@ x , it is hard 
to compute the missing element. 

Definition 2 (g-CPDH). The q(k)- computational power Diffie-Hellman as- 
sumption holds for Q if for all j £ {0, . . . , q} and all non-uniform probabilistic 
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polynomial time adversaries A we have 

Pr [(p, G, Gt, e) <— Q(l k ) ; g^G\{l} ; <- Z* p ; 

y <- (A, X A )(p, G,G T ,e,g,g x ,..., g x ” , g p , g m , ..., 
gPx’ \g^ 3+ \...,g^ 9 ) ; y = g ^ j sfc? 0. 

In the full paper we give heuristic arguments for believing in the g-PKE and 
g-CPDH assumptions by proving that they hold in the generic group model. 

4 Knowledge Commitment 

We will use a variant of the Pedersen commitment scheme in our NIZK proof 
where we commit to oi,...,o q as c = g r riig[ 9 ] VT- I n the security proof of 
our NIZK argument for 3SAT we will need to extract the committed values 
oi, . . . , a q ; but the commitment scheme itself is perfectly hiding and does not 
reveal the committed values. For this reason, we will require the prover to create 
a related commitment c = g n»e[«] Pi* an< ^ re fy on the g-PKE assumption for 
extracting the committed values. We call (c, c) a knowledge commitment, since 
the prover cannot make a valid commitment without “knowing” the committed 
values. 

Key generation: Pick gk = (p,G,G T ,e) Q( l k ) g <— G \ {1} ; x,a <— 

Z*. The commitment key is ck = (gk, g, gi , . . . , g q , g, g \ . . . , g q ) = 
(gk, g, g x , . . . , g x , g a , g ax , . . . , g ax ) and the trapdoor key is tk = x. 
Commitment: To commit to a±, ... ,a q pick r <— Z p and compute the knowl- 
edge commitment (c, c) as 

C = </' II Ui‘ c=g r Y[g^. 

i&k] ie[q] 

Given (c, c) G G 2 we can verify that it is well-formed by checking e(g, c) = 
e(c, g). 

Trapdoor commitment: To make a trapdoor commitment sample trapdoor 
randomness t <— Z p and compute the knowledge commitment (c, c) as c = 
9* ; c = g'. 

Trapdoor opening: The trapdoor opening algorithm on messages a\,...,a q € 
Z p returns the randomizer r = t — Sie[g] a i x '' ■ The trapdoor opening satisfies 

P = 9 r n ieM 9? and c = g r n <e[g] 9? ■ 

The commitment scheme has properties similar to those of standard Pedersen 
commitments as the following theorem shows. We refer to the full paper for the 
proof of the following theorem. 

Theorem 1. The commitment scheme is perfectly trapdoor and computation- 
ally binding. Assuming the q-PKE assumption holds, there exists for any non- 
uniform probabilistic polynomial time committer A a non-uniform probabilistic 
polynomial time extractor Xa that computes the contents of the commitment 
when given the input of A (including any random coins). 
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4.1 Restriction Argument 

Consider a subset S C [9] and a commitment c. We will need an argument for the 
opening r,a±, . . . ,a q being such that the indices of non-zero values are restricted 
to S. In other words, we need an argument for the commitment being of the 
form c = g r Julies 9?* ■ The argument will take the form 7 t = h r riies h”' 1 , which 
intuitively corresponds to an additional argument of knowledge with respect to 
a small base (h,{hi}i e s)- 

Setup: gk <— Q(l k ) ; ck <— K coiain i t (gk). 

Common reference string: Given (ck, S) as input pick at random (3 <- 
Z* and compute the common reference string as er = (h,{hi}i e s) = 

Statement: A valid knowledge commitment (c, c). 

Prover’s witness: Opening r, {ai}*es so c= g r Hies 9V an d c = g r Hies §V ■ 
Argument: Compute the argument as 7r = h r Y\ l( zs h%* ■ 

Verification: Output 1 if and only if e(c,h ) = e(g, n). 

Theorem 2. The restriction argument is perfectly complete and perfectly 
witness-indistinguishable. If the q-CPDH assumption holds, all non-uniform 
probabilistic polynomial time adversaries have negligible probability of outputting 
(r, 01, . . . ,a q ,n) so a; ^ 0 for some i ^ S and 7r is an acceptable restriction 
argument for the commitment corresponding to the opening. 

We refer to the full paper for the proof. Observe that we phrase the soundness of 
the restriction argument as the inability to find an opening of the commitment 
that violates the restriction. Since the commitment scheme is perfectly hiding we 
cannot exclude the existence of openings that violate the restriction. However, if 
it holds that it is a knowledge commitment (Theorem we see that the opening 
we extract from the committer must respect the restriction. 

5 Common Reference String 

We will now describe how to generate the common reference string for our NIZK 
argument. The common reference string will consist of a knowledge commitment 
key ck for q = n 2 + 3n — 2 values together with three common reference strings 
for restriction to the sets 

S = {1, . ..,n} , S = {(n+ 1), . . . ,n(n+ 1)} , S = {£ e [9] | l ^ 0 mod n+ 2}. 

The zero-knowledge simulation of the argument will use the same type of com- 
mon reference string, and the simulation trapdoor for our NIZK argument will 
be the trapdoor for the knowledge commitment. 

Common Reference String Generation: 

On input l k and n do 

1. Generate (p, G, Gt, e) <— Q(l k ) and set gk = (p, G, Gt, e). 
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2. Pick g <— G \ {1} ; x, a. <— Z* and compute 

ck= (gk,g,...,g q ,g,...,g q ) = (gk, g , . . . , g x " +3 ” 2 ,g a , . . . ,g axn +3 ” "). 

3. Generate a <— K iestlict (ck, S) where S = {1.2 n}. 

4. Generate a <— K iestlict (ck, S) where S = {(n+1), 2(n+l), . . . , n(n+l)}. 

5. Generate & <— K iestI i ct (ck, S) where S = {£ £ [g] | t ^ 0 mod n + 2}. 
The common reference string is a = ( ck , a, a. &) and the simulation trapdoor 
is tk = x. 

Given a common reference string, it is hard to find a non-trivial linear combina- 
tion of 1, x , . . . , x q because we could run a polynomial factorization algorithm in 
Z P [X\ to compute the root x. We will repeatedly use this fact, so we prove the 
following Lemma in the full paper. 

Lemma 1. If the q-CPDH assumption holds for Q with q = n 2 + 3n — 2, a non- 
uniform probabilistic polynomial time adversary has negligible chance of finding 
a non-trivial linear combination ( ao,...,a q ) such that J2i=o a i xl = 0 given a 
random common reference string a. 

6 Product Argument 

Consider three commitments 

c = g r n ^ 9 jU+ 1) v= 9 t n 9? v * e n ; «» = 

ie[n] je[n] ie[n] 

With the corresponding restriction arguments, c, c, d. d. v, v we can assume the 
committer knows openings to values ai , . . . , a n , b \ , . . . , b n and u -\ , . . . , u n . We will 
give an argument (7r, tt, i r) consisting of three group elements for the committed 
values satisfying u\ = aibi , . . . , u n = a n b n . 

In order to explain the intuition in the argument, let us consider the following 
toy example c = EL, (=[,,.] 9%' an< l d = flycfn] ’ w here we want to show 

<:iib\ = 0, . . . , a n b n = 0. The discrete logarithms of the two commitments are 
Sie[ n ] TT* and "}2je[n] b 3 x :l( ' n+l ' 1 and the discrete logarithm of e(c,d) is 

| ^ aja:* J • | ^ ^ a i biX li ' n+2 ' > + ^ ^ aibjX^ n+r>+l . 

W»] / \ie[n] ) «e[n] ie[n] r'e[n]\{i} 

In the final sum, the left term contains the coefficients afyi, . . . ,a n b n that are 
supposed to be 0, however, the right term complicates matters. The argument 
7r will be constructed such that it can be used to cancel out the latter term. 

Notice that the left term isolates the coefficients of x n+ 2 , . . . , x r d n +' 2 ) . while 
the right term does not contain any such coefficients. By giving an appropriate 
restriction argument, the prover can guarantee that she only cancels out the 
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right term without interfering with the left term containing x n+2 , . . . ,x n ^ n+2 \ 
The prover computes n = ELeN n,j'e[n]\{*} 9j( n +i)+i ailf l gives corresponding 
7 r, 7 r values demonstrating that it knows an opening (z. {ze} Pe ^) of 7r restricted 
to S. The verifier will check 


e(c,d) = e(g, tt). 

Let us now argue that we have soundness: given 7r, 7 t, 7t such that e(c, d) = 
e(g, 7r) the verifier can be assured that a\b\ = 0, . . . , a n b n = 0. Taking discrete 
logarithms, the verification equation tells us that 

Y aibiX z ( n+2 ^ + Y, Y, a>ibjX? ( - n+1)+l = z+ Y, z i xt - 
«e[»] ie[n)ie[n]\{i} e e s 

Recall, S ={£ € [n 2 + 3n — 2] £ ^ 0 mod n + 2} so the argument 7r will not 

contain any coefficients of the form x n+2 , . . . , x n ( n+2 \ This means the coefficients 
of x n+2 , . . . , x"i” +2 i are aq&i, . . . , a n b n . If there is an i such that afti ^ 0, then 
we have a non-trivial polynomial equation in x. By Lemma Q this would allow 
us to recover x and breaking the r/-PKE assumption. 

In the general case we want to give an argument for a* 6* = u t instead of just 
dibi = 0. However, if we evaluate e(v. rije[n] 9j(n+i)) we can view the latter as a 
commitment to (1 , 1 , . . . , 1) and we will get their products U\ ■ 1 , . . . , u n ■ 1 as coef- 
ficients of x n+ 2 , . . . , x n< - n+ ‘ 2 \ If u\ = a\b \ , . . . , u n = a n b n the two pairings e(c, d) 
and e(v, riy e [n,] 9j(n+i)) therefore have the same coefficients of x n+2 , . . . , x ri (”+ 2 ) 
and otherwise the coefficients are different. As in the toy example above, we may 
choose 7r such that it cancels out all the other terms. Due to the restriction to 
S the argument will not have any x n+ ' 2 , . . . , x n ( rl + 2 ) terms and we therefore get 
soundness. In the general case, the commitments also have randomizers and we 
will choose 7 r such that it also cancels out these terms. 

Statement: Commitments c, d, v € G. 

Prover’s witness: Openings r, Oi, . . . ,a n and s, bi, . . . , b n and t,ui, ... ,u n so 

c = 9 r n 9 T ’ d = 9 s n 9 Kn+ 1) - v = 9* II g T > Vi e w : u i = »<&*• 

<e'W im ieM 

Argument: Compute the argument (7T, 7 t, 7r) as 

«=9 rs n st s n n n 

*[»] im i6WiGN\{i} 

*= 9 ™ n ar n 4n+i) n n 

*sM 

n 

ieW ie[n] i6WisN\{i} 
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Verification: Output 1 if and only if 

e(g,Tt) = e(n,g) A e(g,n) = e(n,h) A e(c,d) = e(v, gj( n+1 ))e(g, n). 

JEW 

Theorem 3. The product argument has perfect completeness and perfect 
witness-indistinguishability. If the q-CPDH assumption holds, then a non- 
uniform probabilistic polynomial time adversary has negligible chance of out- 
putting commitments (c, d, v) and an accepting argument n with corresponding 
openings of the commitments and the argument such that for some i G [n] we 
have aibi ^ Ui. 

The proof can be found in the full paper. 

The product argument has two commitments with restriction to S and one 
commitment restricted to S. It is quite easy to translate commitments back and 
forth between S and S though. If we have two commitments v and d restricted 
to respectively S and S, we can give a product argument for the values in v 
being the product of the values in c = [n] 9i and d. Since c is a commitment 

to (1, . . . , 1) this proves that v and d contain the same values. 

The product argument makes it possible to prove that the committed values 
in a commitment c are bits encoded as ±1. If we give a product argument for 
n ieW g% (a commitment to (1, . . . , 1)) being the product of the values in c and 
in d, where d contains the same values as c, then we have that the values satisfy 
of = 1, which implies a* = ±1. 

7 Permutation Argument 

Consider two commitments and a permutation 

c = g r gf* d = (f ] | g b d p G S n V* G [n] : h = a p ^. 

*eW 

We will now give an argument for the committed values satisfying bi = a p (i), 
where p G S n is a publicly known permutation. 

The idea behind the permutation argument is to show 

Y aiX^ n+2) = Y b i x p{ - i)( - n + 2 ' ) . 

<e[»] iG[n] 

By Lemma □ this imphes bi = a p ^ for all i G [n]. 

To get the desired linear combination we compute e(c, U M n) 9j(n+ 1)) and 
e(d, n jeH 9p(i){n+i)-j)- They have discrete logarithms 

r Y, x^ n+lS> + Yj a-iX 1 ^ 2 ^ + Y^ ciiX^ n+l ^ +l 

JEW <eW <e[n]ie[n]\{i} 

s y' x PU)(n+2)-j + y' b . x p(i)(n+ 2) + b . x p(j)(n+2)+i-j 

JEW *E[»] «E[»]*6W\{i} 
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We have the desired sums X^ie[n] a i x ^ n+2 ^ and Sie[n] &i® /, b)("+ 2 ) but due to the 
extra terms it is not the case that e(c, ILcv 9j(n+ 1 )) = e(d,Yl je[n] g pU ) {n+2 )-j). 

The prover will construct an argument n that cancels out the extra terms and 
the verifier will check that 

e (<A II 9j(n+i)) = e (d, n 9pU)(n+2)-j)e(g,7r). 

je[n] je{n] 

The prover also gives a restriction argument 7 r, ir such that the verifier is guaran- 
teed that 7r does not contain any x n+2 , . . . , :c n - n + 2 ) terms. Soundness now follows 
from the verification equation giving us J2ie[n] a i x ^ n+2 ^ = Sie[ n ] biX p ^( n+2 ^ 
when 7r is free of x n+2 , . . . , x n O+ 2 ) terms. 

Statement: Commitments c,d £ G and permutation p £ S n . 

Prover’s witness: Openings r, 01 , . . . , a n £h v and s, bi, . . . , b n £ Z p so 

c = g r JJ g'f 1 and d = g s g\ l and Vi £ [n] : bi = a p (q . 

5§M *c[«] 

Argument: Compute the argument as 

77 = n g kn+i) g pmn+ 2 )-j n n S , “(„+l)+ifl , (9 Q-)(„ + 2) + i- i 

je[n] <6[»]je[»]\{i} 

77 = II 9 r j(.n+l)9p(j)( n +2)- iU n 9jin+l)+i9p?j)(n+2)+i-j 

je{n] <€WM«1\ { * } 

77 = II k j(."~l) h ,,U)(n+2) j II II K(n+l)+iK{i)(n+2)+i-j 
je[n\ i6[n]je[n]\{i} 

Verification: Output 1 if and only if e(g, if) = e(7r, g) , e(g, ir) = e(n, h) and 
e(c, n jeN 9j(n+ 1)) = e(d, ]J je[n] 9 P U)(n+2)-Mg, tt). 

Theorem 4. The permutation argument has perfect completeness and perfect 
witness-indistinguishability. If the q-CPDH assumption holds, a non-uniform 
probabilistic polynomial time adversary has negligible chance of outputting a per- 
mutation p, commitments (c, d) and an acceptable argument (n, it, n) with cor- 
responding openings of the commitments and the argument such that for some 
i £ [n] we have bi yf a p ^y 

The proof can be found in the full paper. 

8 Constant Size NIZK Argument for Circuit Satisfiability 

We will now give an NIZK argument for the satisfiability of a NAND-gate circuit 
C, which consists of a constant number of group elements but has a large com- 
mon reference string. Let a be the output wire of the circuit and add an extra 
self-looping NAND gate a = ~i(a A b ) to force a to be true. This reduces the 
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satisfiability problem to demonstrating that there is a truth-value assignment to 
the wires such that C is internally consistent with all the NAND-gates. In the 
following let the value —1 correspond to false and +1 correspond to true. We 
now give the full NIZK argument outlined in the introduction. 

CRS: Generate common reference string a = ( ck , a . a, a) with n = 2 N. 
Statement: A circuit C with N NAND-gates, where we want to prove the wires 
can be assigned values such that the circuit is internally consistent. 
Witness: 2 AT input values a \, . . . , ajv, 6i, . . . , 6 jv € {— 1, 1} for the N gates that 
are consistent with the wires in the circuit and respect the NAND-gates. 

Define u\ ujv to be values of the output wires and let n r,v be the 

remaining values in (ai, . . . , ajv, , 6 jv) (either inputs to the circuit or 

duplicates of NAND-gate output wires appearing multiple times as inputs 
to other NAND-gates). 

Argument: 

1. Make restricted commitment (c a yj,, c a \\ b , c a yj,) to (ai, . . . , ajv, £>i, . . . , 6 jv). 

2. Make restricted commitment (d 0 y&, d a ||6, d a \\ b ) to (ai, . . . , <zjv, i>i, . . . , 6 jv). 

3. Make restricted commitment (c b || Q , q,y 0 , c b \\ a ) to (6j, 6 jv, ai, . . . , ojv). 

4. Make restricted commitment (cmiq, c&y 0 , Zv 0 ) to (6i, . . . , 6 jv, 0, . . . , 0). 

5. Make restricted commitment (c„y r , c„y r , c„y r ) to {u\, . . . , ujv,D, . . . ,rjv). 

6. Make restricted comm. (c_„y 0 , c_„ yo, c_„y 0 ) to (— wi, . . . , — wat,0, ... ,0). 

7. Show that c a y b and d 0 y 6 contain the same values by giving a product 

argument for e 0 yf, containing the entry-wise product of the values in 
n-=i 9i ( a commitment to (1, 1.1 , 1)) and d 0 yj. 

8. Show that oi,..., ajv, 6i, . . . , 6 jv € {—1, 1} by giving a product argument 
for n-fi ( a commitment to (1, . . . , 1, 1, . . . , 1)) containing the entry- 
wise product of the values in c a ^ and d a ^ r 

9. Show that the values are internally consistent with the wires. The values 

, . . . , ai t , bj x , . . . , bj m may for instance all correspond to the same wire. 
Pick a permutation p £ S- 2 N such that it contains cycles of the form 
ii — > 12 — > . . . — > it — > + N — > • • • — > j m + N —t il 

for all sets of values corresponding to the same wire. Give a permutation 
argument for c a \\b containing the p-permutation of the values in c a \\b . For 
each set corresponding to the same wire, this shows a,> 2 = , . . . , b n = 

(ii , , . . . , bj m = bj m _ 1 so the values must be the same. 

10. Give a permutation argument for c„y r and c a \\b showing that the 
outputs values («j , . . . , u n ) are consistent with the input values 
(ai, . . . , ajv, bi , . . . , 6jv)- (The (ri,...,rjv) values are the remaining N 
values in (oi, . . . , ojv, 6i, . . . , 6 jv) that correspond to duplicates of an out- 
put wire or input wires to the circuit. 

11. Give a permutation argument for q,y a containing the swap of the values 
in c a y 6 . 

12. Give a product argument for q,y o containing the entry-wise product of 
the values in c b \\ a and rijli 9j(n+ 1 ) (contains (1, . . . , 1, 0, . . . , 0)). 

13. Give a product argument for c_„yo containing the entry-wise product of 
the values in c u \\ r and flyLi 9j(n+i) (contains ( — 1 , . . . , — 1,0,..., 0)). 
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14. Show the NAND-gates are respected by giving a product argument for 
<5_ w |j0 containing the entry-wise product of the values in cj,||o and d Q ||j,. 
The argument consists of the 6 knowledge commitments with correspond- 
ing restriction arguments, the 5 product arguments and the 3 permutation 
arguments given above. The total size is 42 group elements. 

Verification: Accept the argument if and only if the 6 knowledge commitments 
are well-formed, their corresponding restriction arguments are acceptable, 
the 5 product arguments are acceptable and the 3 permutation arguments 
are acceptable. 

Theorem 5. The NIZK argument for circuit satisfiability is perfectly complete 
and perfectly zero-knowledge. If the q-PKE and q-CPDH assumptions hold with 
q = (4 N 2 + 6 N — 2), then the NIZK argument is computationally sound. 

The proof can be found in the full paper. 

Arithmetic circuits. It is possible to adjust our NIZK argument to handle 
arithmetic circuits consisting of addition and multiplications gates over Z p . The 
commitment scheme is homomorphic so if we multiply two commitments we get 
the sum of their values, which can be used to handle the addition gates. The 
multiplication gates can be handled with our product arguments. 

9 Reducing the Common Reference String 

In the last section, we constructed constant size NIZK arguments. The common 
reference string, however, grows quadratically in the size of the circuit. If the 
NIZK argument is only used a few times the cost of setting up the common 
reference string may be prohibitive. In this section, we will outline how to reduce 
the size of the common reference string in return for increasing the size of the 
argument. If the circuit has 2 N = n d wires for some constant d > 1 we get 
a common reference string with 0(n 2 ) group elements and an NIZK argument 
with 0{n d ~ l ) group elements. If we choose d = 3, the combined size of the CRS 
and the NIZK argument is 0(N 2 / 3 ) group elements making both components 
sub-linear in the circuit size. 

The idea is to reduce the common reference string and let each commitment 
hold fewer values. If we have a circuit with n d wires and a common reference 
string of size q = n 2 + 3n — 2 = 0(n 2 ), the set 8 will permit the commitment of 
n elements at a time. Each commitment is a constant number of group elements, 
but now we use n d ~ 1 commitments to commit to all the 2 N = n d input values to 
the gates. The product and permutation arguments are also of constant size, but 
they only work on commitments to n values. If we look at our NIZK argument, 
the product argument can be used on each of the n d_1 triples of commitments 
containing n values each so there is no problem here. The permutation argument 
is not useful though, because we need to permute 2 N = n d committed values 
spread across n d ~ 1 commitments. The goal in this section is to build a permuta- 
tion argument for two n d_1 -tuples of commitments to a total of 2 N = n d values 
each. The permutation argument consists of 0(n rf_1 ) group elements and uses 
the existing CRS consisting of 0(n 2 ) group elements. 
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9.1 Permutation Argument Spanning Multiple Commitments 

Consider two sets of n commitments ci, . . . , c n , d\, . . . , d n to values an, , a nn 
and 6n, ... , b nn . We will use a Clos-network na to give an argument for the two 
sets of committed values being permutations of each other for a publicly known 
permutation p G S n 2 . The idea in a Clos network is to build large permutations 
from smaller permutations. Consider a permutation p G S n 2 . First we divide 
the elements into n blocks of n elements and permute the elements within each 
block. Next, we distribute the elements in each block evenly on n other blocks 
giving us a new set of n blocks each containing one element from each of the 
previous blocks. We permute the elements in each block again. Once again, we 
distribute the elements in each block evenly on n new blocks. Finally, we permute 
the elements within the last blocks to get the elements permuted in the desired 
order. The permutations in the Clos network vary depending on p, whereas the 
distributions between blocks are fixed and independent of p. 

To give a permutation argument for {cj}j e [„], {d}ie[ n ] containing the same 
values permuted according to p G S n i the prover builds a Clos-network 
for the permutation p. She constructs 4 sets of n intermediate commitments 
{ c i}ie[n]i { w i}ie[n]i W}ie[n]i W}ie[n] together with arguments of knowledge and 
restriction arguments. Each commitment contains a block of n values in the mid- 
dle stages of the Clos network. She uses the permutation argument from Section 
□ to show that for all i G [n] the pairs of commitments (cj, c'), (di, d'i) and (vi, vQ 
contain the same elements in permuted order as dictated by p G S n 2 . The re- 
maining problem is to give an argument for having dispersed the values between 
Wi}ie[n] an( l { v j}je[n] such that for each ci t the values have been dispersed to n 
different Vj’s and to give a dispersion argument for having spread the values in 
{ v i}ie[n] to {d' }j £ [ n ] such that for each v( the n committed values have been dis- 
persed to n different d's. We present a dispersion argument in Section FO which 
uses the existing CRS consisting of 0(n 2 ) group elements and has an argument 
size of 0(n ) group elements. Counting the cost of commitments, within-block 
permutation arguments and the dispersion arguments, we get a total size of 0(n) 
group elements for proving that two sets of n commitments to n values each are 
related by a publicly known permutation p G S n 2 . 

Once we have a permutation argument for n 2 values spread over n commit- 
ments, we can recursively get permutation arguments for larger permutations. 
The cost for a permutation of n d elements spread over two sets of n d ~ 1 commit- 
ments is 0(n d_1 ) group elements for any constant d. 


9.2 Dispersion Argument 

Consider a matrix of n 2 values an, . . . , a nn . We can view commitments Cj, . . . , c n 
given by Cj = g r i IIie[n] 9i W as commitments to the columns of the matrix. 
Similarly, we can view d\,...,d n given by di = g Si n,; e [„] 5°('n+i) as commitments 
to the rows of the matrix. We give an argument for demonstrating that c \, . . . , c n 
and d\,...,d n contain respectively the columns and the rows of the same nxn 


338 J. Groth 


matrix. This means that for each cj the n committed values have been distributed 
to n different commitments d\, ... , d rl . 

To get some intuition for the construction consider first the simple case where 
all the randomizers are 0. We then have 

n *fe>£icn+i)) = n 

ieW «eM 

Taking discrete logarithms on both sides of the equation we get 

E E aij* j{n+1)+i -EE K^ n+1)+ \ 

Mn]ie[n] ie[n]je[n] 

which by Lemma [I] implies ay = 6 (? for all i.j G [n]. Due to the randomizers 
this verification equation will not hold in general though. The prover therefore 
constructs an argument (7 Tl, -kr, Kli^r) consisting of six group elements 

such that the cross-terms arising from the randomizers cancel out. 


Statement: Commitments ci, . . . , c„, d \, . . . , d n € G. 

Prover’s witness: Openings r\, . . . , r n , an, . . . , a nn , si, . . . , s n , bn, ... , b nn 

\/i,j 6 [n] : Cj = g r * g = g Si 9% +1) <Hj = &i.r 

<eW ie[«] 

Argument: Pick t <— Z p at random and compute the argument 

{^L,^R,TtL,^R,TtL,^R) &S 


*L = g t II %»+l) 

ieW 

71 ' L= 9 t n 9 j(n+ 1 ) 

jeH 

= h* n E«+1) 

16 W 


nR = gt n g i s 

ie[n\ 

n R = g t Yl 9i s 

ie[n] 

KR = h f ‘ n h~ s 

*'W 


Verification: Output 1 if and only if 

e(g, kr) = e(ir R , g) e(g, n R ) = e(n R , h) e(g, n L ) = e(n L ,g) 


e(g,n L ) = e(v r L ,h) e(g,n L ) e(cj,g j{n + i)) = e(g,Tr R ) e^df). 

lew *e[n] 

Theorem 6. The dispersion argument is perfectly complete and perfectly 
witness-indistinguishable. If the q-CPDH assumption holds, a non-uniform prob- 
abilistic polynomial time adversary has negligible chance of producing commit- 
ments c\, . . . ,Cn,d\, . . . ,d n and an accepting argument (ttl,ttr, 7Tl, fr#, T l, Tr) 
with corresponding openings of the commitments and the argument such that 
Ci,. , c n and d \ , . . . , d n are commitments to two different matrices. 

We refer to the full paper for the proof. 
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Abstract. We show that probabilistically checkable proofs can be used 
to shorten non-interactive zero- knowledge proofs. We obtain publicly ver- 
ifiable non-interactive zero- knowledge proofs for circuit satisfiability with 
adaptive and unconditional soundness where the size grows quasi-linearly 
in the number of gates. The zero-knowledge property relies on the exis- 
tence of trapdoor permutations, or it can be based on a specific number 
theoretic assumption related to factoring to get better efficiency. As an 
example of the latter, we suggest a non-interactive zero-knowledge proof 
for circuit satisfiability based on the Naccache-Stern cryptosystem con- 
sisting of a quasi-linear number of bits. This yields the shortest known 
non-interactive zero-knowledge proof for circuit satisfiability. 

Keywords: Non-interactive zero-knowledge proofs, adaptive soundness, 
probabilistically checkable proofs, Naccache-Stern encryption. 


1 Introduction 

Zero-knowledge proofs introduced by Goldwasser, Micali and Rackoff jGM R89| 
are interactive protocols that enable a prover to convince a verifier about the 
truth of a statement without leaking any information but the fact that the 
statement is true. Blum, Feldman and Micali |BFM88j followed up by introducing 
non-interactive zero-knowledge (NIZK) proofs where the prover outputs just 
one message called a proof, which convinces the verifier of the truth of the 
statement. The central properties of zero-knowledge proofs and non-interactive 
zero-knowledge proofs are completeness, soundness and zero-knowledge. 

Completeness: If the statement is true, the prover should be able to convince 
the verifier. 

Soundness: A malicious prover should not be able to convince the verifier if 
the statement is false. 

Zero-knowledge: A malicious verifier learns nothing except that the statement 
is true. 

In this paper, we focus on the NP-complete language of circuit satisfiability, 
which is the most widely studied language in the context of non-interactive zero- 
knowledge proofs. The statement is a binary circuit C and a claim that there 

* Supported by Engineering and Physical Sciences Research Council grant number 
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exists an input, a witness w, such that the circuit outputs 1 when evaluated on 
w. The prover has the witness w as a private input, while the statement C is 
public and known both to the prover and the verifier. 

Only languages in BPP have non-interactive zero-knowledge proofs in the 
plain model without any setup Orc87, G094. GK96J. Blum, Feldman and Mi- 
cali |Bh'M88j therefore suggested the common reference string model, where the 
prover and the verifier have access to a trusted bit-string. The common reference 
string can for instance be generated by a trusted third party or by a set of parties 
executing a multi-party computation protocol. Groth and Ostrovsky |GQ07j has 
as an alternative suggested NIZK proofs in the multi-string model, where many 
parties generate a random string and the security of the NIZK proof relies on a 
majority of the strings being honestly generated. In this paper, we work in the 
common random string model, where the common reference string is a trusted 
uniformly random bit-string. 

NIZK proofs have many applications, ranging from early chosen-ciphertext 
secure public-key cryptosystems jl^NMI RaTTTTTj to recent advanced signature 
schemes jBWOfil f( JGS07] . They have therefore been studied carefully in the lit- 
erature. Blum, Feldman and Micali |BKM88lj proposed an NIZK proof for all of 
NP based on a number theoretic assumption related to factoring. Feige, Lapidot 
and Shamir [FLS99I gave an NIZK proof for all of NP based on the existence 
of trapdoor permutations. While these results established the existence of NIZK 
proofs based on general assumptions, other works |Dam921 IDDFTil IKP98| have 
aimed at reducing the complexity of NIZK proofs. Gentry’s fully homomorphic 
cryptosystem based on lattices can reduce the complexity of an NIZK to grow 
linearly in the witness size as opposed to the circuit size [GeiiOQ . Groth. Os- 
trovsky and Sahai |G( )S()fihl IG( )S0fia1 IGroOfil IGS08j have constructed highly 
efficient NIZK proofs using techniques from pairing-based cryptography. 


1.1 Our Contribution 

We construct NIZK proofs for circuit satisfiability with a size that grows quasi- 
linearly in the size of the circuit. Our NIZK proofs have perfect completeness, 
statistical soundness, and computational zero-knowledge. The zero-knowledge 
property of the NIZK proofs can be based on trapdoor permutations or for 
higher efficiency on the semantic security of the Naccache-Stern cryptosystem 
based on higher residues |NS98| . 

The Naccache-Stern cryptosystem is based on a decisional assumption in RSA- 
type groups, which predates but is otherwise incomparable to the decisional 
assumptions used in pairing-based NIZK proofs. Surprisingly, the construction 
based on the Naccache-Stern cryptosystem has better asymptotic efficiency than 
the recent pairing-based NIZK proofs for circuit satisfiability jG()SflfihllG( )S()fial 
IGS08| (although pairing-based NIZK proofs remain more efficient for practical 
purposes due to the large constants involved in our construction). With pairing 
group elements of size kc and a circuit size that is polynomial in the security 
parameter k we get an asymptotic improvement over pairing-based NIZK proofs 
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Table 1. Comparison of NIZK proofs for security parameter k, circuit size \C\ = 
k° (1 K witness size |tw|, trapdoor permutations over {0, l} k ' T , and pairing group size kc, 
(usually kG ~ k 3 for 2~ k security IGPS08l f 



CRS size 

Proof size 

Assumption 

Kilian-Petrank [KP98] 
This work 

(j[\C\k T klogk) 
\C\k T log c (fc) + poly(k) 

w(|C|ferfclogk) 
\C\k T log c (A;) + poly(fc) 

trapdoor perm, 
trapdoor perm. 

Gentry [Gen09] 

GOS [GOS06b] 

This work 

poly(fc) 

B(ka) 

\C\ log c (fc) + poly(fc) 

Hpoly(fc) 

e(\c\k G ) 

|C| log°(fc) + poly(fc) 

lattice-based 

pairing-based 

Naccache-Stern 


of a multiplicative factor poIy ^o g ( fc ) • This brings the NIZK proof size within a 
polylog(fc) factor of the size of the circuit itself. 

In Table Q] we compare our NIZK proofs with the current state of the art 
NIZK proofs for circuit satisfiability based on respectively trapdoor permutations 
|KP98| and specific number theoretic assumptions jGOSOfihl IGOSOfiaj . All of 
these NIZK proofs have an efficient (probabilistic polynomial time) prover and 
they are all publicly verifiable. 

Soundness and zero-knowledge can be adaptive or non-adaptive. In non- 
adaptive soundness and zero-knowledge, the statement to be proven is chosen 
independently of the common reference string. Usually, NIZK proofs are used in 
a context where the common reference string is publicly available though, and it 
is therefore unreasonable to assume the statement is independent of the common 
reference string Q Adaptive soundness and adaptive zero-knowledge refers to the 
more realistic setting, where NIZK proofs need to be sound and zero-knowledge 
even when the common reference string is publicly available and the statement 
may depend on the common reference string. Our NIZK proofs are both adap- 
tively sound and adaptively zero-knowledge, and in Table □ we have compared 
the schemes in the efficient prover, adaptive soundness setting. 

1.2 New Techniques 

PCPs in NIZK. Probabilistically checkable proofs (PCPs) | A SOSI IALM + 98l 
II )in()7j are proofs for a statement that can be verified by reading a few bits in the 
proof instead of reading the whole proof. A PCP for a circuit being satisfiable will 
be larger than the circuit itself; however , one only needs to read a few bits of the proof 
to get more than 50% chance of detecting an attempt to prove a false statement. By 
reading more bits, we can get exponentially small risk of wrongly being convinced 
by the PCP. 

PCPs have been very useful in the context of zero-knowledge arguments. Kil- 
ian pCilQSj for instance suggested a sub-linear size zero-knowledge argument, 
where the prover commits to the bits of a PCP and the verifier asks the prover 
to reveal the content of a few of these commitments. 

1 We have a hard time thinking of any applications where non-adaptive soundness 

suffices, while non-adaptive zero-knowledge sometimes may be useful. 
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We use PCPs in a different way. In our NIZK proofs the prover will prove 
that all queries to the PCP have satisfactory answers. At first sight this may 
seem counterintuitive; the PCP will be larger than the statement itself and it is 
odd that increasing the statement size would help us in shortening the size of 
the NIZK proofs. Using a PCP for the statement, however, has the advantage 
that the verifier can grant the malicious prover a non-trivial chance of falsely 
answering some of the queries, as long as there are other queries where he will 
detect the attempt to cheat. This stands in contrast to traditional NIZK proofs, 
where the verifier needs high certainty for every single part of the statement 
being correct. 

To illustrate our technique, consider an NIZK proof such as Kilian-Petrank 
|KP98j . They first reduce circuit satisfiability to 3SAT5; where each clause has 
three variables and each variable appears in at most 5 clauses. By choosing 
a trapdoor permutation and revealing hard-core bits related to the common 
reference string, the prover can demonstrate that each clause is satisfied. There 
is a risk of error though, and the prover therefore needs to repeat the proof many 
times for each clause to increase the soundness guarantee. 

Our idea is to use a PCP in a pre-processing step before applying the tech- 
niques of Kilian and Petrank. The effect of the PCP (see Sectional) is to increase 
the gap between satisfiable and unsatisfiable statements. In a standard 3SAT5 
statement there are unsatisfiable statements where all but one clause can be 
satisfied. With the PCP, however, we can ensure that either all clauses can be 
satisfied or alternatively a constant fraction of the clauses are unsatisfied. The 
advantage over Kilian and Petrank’s NIZK proof is that now we have resilience 
towards errors in individual clauses. Even if a malicious prover succeeds in falsely 
creating NIZK proofs for some of the clauses being satisfied, we still get sound- 
ness as long as this only happens for a small constant fraction of clauses. We 
can therefore avoid the repetition of proofs that Kilian and Petrank needed. 
Implementing a Hidden Random String. We construct our NIZK proofs 
in two steps. We use cryptographic techniques to convert the common reference 
string into a hidden string of random bits, where the prover may selectively 
disclose some of the bits and keep other bits secret. We then construct NIZK 
proofs that assume the existence of a string of hidden bits, where the prover may 
keep some of them secret and reveal others to the verifier. 

Feige, Lapidot and Shamir jKLSiWj suggested the following way of implement- 
ing the hidden bits model. When working with trapdoor permutations, we can 
interpret the common reference string as a string of images of the trapdoor 
permutation. The hidden random bits are hardcore bits of the pre-images. The 
prover may with the knowledge of the trapdoor learn all the hidden random bits. 
By revealing a pre-image to the trapdoor permutation, she can disclose the value 
of a particular hidden random bit. This is a costly approach, however, since we 
only get one hidden random bit per trapdoor permutation image. In general, the 
common reference string has to be a factor kx larger than the hidden random 
string, where kx is the size a trapdoor permutation value. 
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The second contribution of this paper is using the Naccache-Stern cryptosys- 
tem |NS98| to reduce the cost of implementing the hidden bits model. We in- 
terpret the common reference string as a series of ciphertexts, but with the 
Naccache-Stern cryptosystem each ciphertext may hold many hardcore bits. The 
message space is of the form Zp, where P = n"=i Pi a product of small primes 
of size log k. We will show that with the Naccache-Stern cryptosystem, it is possi- 
ble to disclose the plaintext modulo Pi without revealing the rest of the plaintext. 
This means that we can have hidden random bits in each ciphertext, 

giving a common reference string that is only a factor 0(log k ) larger than the 
hidden random string. 

Combining PCPs and the Naccache-Stern cryptosystem, we get the asymp- 
totically shortest known NIZK proofs for circuit satisfiability consisting of a 
quasi- linear number of bits. 

1.3 Overview 

We construct NIZK proofs for circuit satisfiability in three steps. In Section £3 we 
describe how a PCP can be used to convert the circuit into a Gap-3SAT5 formula, 
where either all clauses are satisfiable or alternatively there are at least a constant 
fraction of unsatisfiable formulae. In Section0|we construct an NIZK proof in the 
hidden bits model, where it is assumed that the prover has access to a string of 
uniformly random bits and may reveal an arbitrary subset of these bits and their 
positions to the verifier. Finally, in Sections |£| and El we show how to implement 
the hidden bits model under the general assumption of the existence of trapdoor 
permutations and more efficiently under a concrete number theoretic assumption 
related to factoring. The two main contributions of the paper are the conceptual 
idea of using PCPs in a preprocessing step as described in Section Q| and the intro- 
duction of a new technique for efficiently implementing the hidden random bits 
model using the Naccache-Stern cryptosystem described in Section 0 

2 Preliminaries 

Notation. Given two functions f,g : N —* [0,1] we write f(k) « g(k) when 
| f(k) — g{k) | = 0(k~ c ) for every constant c > 0. We say that / is negligible if 
f(k) « 0 and that / is overwhelming if f(k) Ps 1. 

We write y = A(x\ r) when the algorithm A on input x and randomness 
r, outputs y. We write y <— A(x) for the process of picking randomness r at 
random and setting y = A(x: r). We also write y <— S for sampling y uniformly 
at random from the set S. We will for convenience assume uniform random 
sampling from various types of sets is possible; there are easy ways to amend 
our protocols to the case where the sets are only sampleable with a distribution 
that is statistically close to uniform. 

NIZK proofs. Let R be a polynomial time computable binary relation. For 
pairs ( C , w) £ R we call C the statement and w the witness. Let L be the NP- 
language consisting of statements with witnesses in R. In this paper, we will 
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focus on the case where the statements are circuits and L is the language of 
satisfiable circuits, i.e., where there exists an input w so C(w) = 1. The size of 
the NIZK proofs will depend on the size of the statement. We will write L n for 
the language of satisfiable circuit consisting of n binary gates and write R n for 
the corresponding relation. 

An eflicient-prover non-interactive proof for the relation R consists of three 
probabilistic polynomial time algorithms ( K,P,V ). K is the common reference 
string generator that takes the security parameter written in unary l fc and an 
intended statement size n as input and outputs a common reference string a of 
length f2(k). P is the prover algorithm that takes as input the common reference 
string cr, a statement C and a witness w so (x, w) £ R and outputs a proof n. V 
is the verifier algorithm that on a common reference string cr, a statement C and 
a proof 7r outputs 0 or 1. We interpret a verifier output of 0 as a rejection of the 
proof and a verifier output of 1 as an acceptance of the proof. We call ( K , P, V ) a 
non-interactive proof system for R it is complete and sound as described below. 

Perfect completeness. Completeness means that a prover with a witness 
can convince the verifier. For all adversaries A and n = k ol - r> we have 

Pr [cr *- K(l k , n); (C, w) A(cr); rr <- P(cr, C, w) : V(a, C, ir) = 1 if (C, w) € R„] = 1. 

Statistical soundness. Soundness means that it is impossible to convince the 
verifier of a false statement. For all non-uniform polynomial time adversaries A 
and n = k°A) we have 

Pr [cr K(l k , n); (C, n) A(a) : C <£ L n and V(a, C, n) = l] w 0. 

Computational zero-knowledge. A non-interactive argument ( K , P, V) is 
computationally zero-knowledge if it is possible to simulate the proof of a true 
statement without knowing the witness. Formally, we require the existence of 
a probabilistic polynomial time simulator S = (S\, 8 - 2 ) ■ S\ outputs a simulated 
common reference string a and a simulation trapdoor r. S 2 takes the simulation 
trapdoor and a statement as input and produces a simulated proof 7 r. We require 
for all non-uniform polynomial time stateful interactive adversaries A and n = 
k°^ that 

Pr [cr K(l k ,n); (C, w) A(cr); 7 r «- P(cr, C, w) : (C, w) € R n and A{ rr) = l] 

w Pr [(ff, t) r- Si(l k ,n); (C, w) ^ A(cr); rr ^ S»(r, G) : (C, w) € R n and A(ir) = l] . 

3 Preprocessing with Probabilistically Checkable Proofs 

We start by giving a polynomial time reduction / from circuit satisfiability to 
Gap-3SAT5. The reduction / takes as its input a circuit with n binary gates 
and outputs a 3SAT formula with N = n polylog n variables and |AT clauses. 
The 3SAT formula, will be such that each variable appears exactly 3 times as a 
positive literal and 2 times as a negative literal. If the input of / is a satisfiable 
circuit C, it will output a satisfiable 3SAT5 formula <f> = f(C). If the circuit 
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C is unsatisfiable, the reduction / will output a formula cj> = f(C) such that 
all assignments have at least aN unsatisfied clauses for some constant a > 0. 
We also need a polynomial time witness-reduction f w , which on input C, w such 
that C (w) = 1 outputs a satisfying assignment f w (C,w) for the 3SAT5 formula 

0 = /(C). 

The first step in our reduction is to map the circuit C to a constraint graph 
G(C) with the following properties. The vertices of the constraint graph G may 
be assigned values from a constant size alphabet E, but each edge between two ver- 
tices describes a constraint on the values that they may be assigned. When start- 
ing with a satisfiable circuit, the output is a satisfiable constraint graph. However, 
on an unsatisfiable circuit the output is an unsatisfiable constraint graph where 
any assignment violates at least a oo-fraction of the constraints for some constant 
ao > 0. The polynomial time assignment tester |DH()4| given by Dinur |Din(17j in 
her proof of the PCP theorem has the properties described above. Moreover, given 
a witness for the satisfiability of the circuit C, we may in polynomial time com- 
pute a satisfying assignment for the constraint graph G(C). Dinur ’s most efficient 
assignment tester building on work by Ben-Sasson and Sudan jBSS08| outputs a 
constraint graph G{C) with n polylog n vertices and edges. 

Given a constraint graph G over a constant size alphabet E, we assign a 
constant number of binary variables to each vertex such that it is possible to 
represent any element from the alphabet E. Each constraint between two vertices 
is of constant size E 2 and we can therefore write out a constant size 3SAT formula 
describing the constraint. Taking the conjunction of all these 3SAT formulas, we 
reduce the constraint graph to a 3SAT formula with n polylog n variables and 
clauses. A satisfying assignment for the constraint graph gives us a satisfying 
assignment to the 3SAT formula. Since each vertex has a constant number of 
variables associated with it, and each constraint has a constant number of clauses 
associated with it, a constraint graph with a constant fraction ao of unsatisfiable 
constraints reduces to a 3SAT formula with a ai fraction of unsatisfiable clauses 
for some constant ai > 0. 

Finally, we reduce the 3SAT formula to a 3SAT5 formula where each variable 
appears in the clauses as exactly 5 literals and each clause has exactly 3 literals. 
First we copy clauses and variables so each clause has exactly 3 literals and each 
variable appears at least 3 times. Then the i appearances of a variable as a pos- 
itive literal Xi or a negative literal • iXj are replaced with copies xn, . . . ,xu- For 
each copy we add 4 clauses for consistency in the truth value assignment with 
the predecessor Xij-i mo d i and the successor Xij + 1 mo d i according to whether 
the original variable appeared as a positive or negative literal. In these consis- 
tency clauses the copy appears twice as a negative literal and twice as a positive 
literal, so all copies appear as exactly 3 positive literals and 2 negative literals in 
the resulting 3SAT5 formula. This is a linear size reduction, so we end up with 
n polylog n variables and clauses. A satisfying assignment for the 3SAT formula 
gives us a satisfying assignment for the resulting 3SAT5 formula. A 3SAT for- 
mula with a constant fraction ai of unsatisfiable clauses, gives a 3SAT5 formula 
with a a fraction of unsatisfiable clauses for some constant a > 0. 
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In summary, there is a pair of polynomial time algorithms (/, f w ) and a con- 
stant a > 0 so: 

Reduction: / takes input a circuit C with n gates and outputs a 3SAT5 formula 
/(C) with N = n poly log n variables. Each variable appears as 3 positive 
literals and 2 negative literals, and each clause has exactly 3 literals. If C is 
satisfiable, then /(C) is satisfiable. If C is unsatisfiable, then all assignments 
to the variables of /(C) leave at least aN clauses unsatisfied. 
Witness-preservation: f w takes as input a circuit C with n gates and a wit- 
ness for C being satisfiable and outputs a truth value assignment satisfying 
the 3SAT5 formula /(C). 

4 NIZK Proofs in the Hidden Bits Model 

We will now give an NIZK proof in the hidden-bits model for Gap-3SAT5- 
satisfiability. The ideas in this section are quite similar to Kilian and Petrank 
fKTTiBj . although our setting allows us to simplify their scheme. 

Let Ljv be the language of satisfiable 3SAT5 formulae with N variables and 
| AT clauses, where each variable appears as 3 positive literals and 2 negative 
literals. Let Rn be the corresponding relation of formulae and satisfying as- 
signments. Further, define LJj as the language of formulae in L N that have a 
truth-value assignment to the variables that leaves at most aN clauses unsatis- 
fied. We will be interested in a hidden-bits NIZK proof (£h(N),Ph,Vb) for R 
with perfect completeness, ( a , ch (A’))-soundness, and perfect zero-knowledge as 
described below. 

Perfect completeness. For all N G 3N and all (< j>,w) e Rn we have 

Pr [p <- (0, 1}^ h(JV) ; (ii, .. .,i t ) <- Ph(p,4>,w) : Pn, ■ ..,it,Pi t ) = l] = 1. 

Statistical soundness. For all N e 3N and all adversaries A 

Pr [p «- {0, 1}^ W; (0, i t , . . . , i t ) «- A(p) : 

<j)£L% and V H { ■■AuPh) sl ]< e H (N). 

Perfect zero-knowledge. There exists a probabilistic polynomial time sim- 
ulator Sh such that for all N e 3N and all (<j>, w) G Rn the distribution 

{p - {0, 1}^W; (<!,...,**)«- P H (P, ^ w) : (fy, Pil , . . . , i uPit )} 

is identical to the distribution 


{(k, Pi^ ■■■At, Ph) Sh( 4>) ■ (ii, Pi xi ■■■At, Pi t )}- 
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4.1 Hidden-Bits NIZK Proof for Gap-3SAT5 

Let (j) be a 3SAT5 formula with N variables and § N clauses, where each variable 
appears exactly thrice as a positive literal Xi and twice as a negative literal ->Xi 
in the clauses. The verifier has the promise that either there is an assignment to 
the variables so all clauses are satisfied, or all assignments of truth values to the 
variables lead to more than aN unsatisfied clauses. The prover has a satisfying 
assignment and wants to give an NIZK proof in the hidden bits model for (f) 
being satisfiable. 

We first sketch the NIZK proof and then afterwards explain the main ideas 
in the construction. There is some freedom in the choice of parameters; for 
concreteness we suggest a = [~] , b = [log N~\ , A = [ lo ^ N ] ■ 

Statement: A 3SAT5 formula 4> € L N . 

Prover’s input: A string p of 6a2 6a (bN + A) hidden bits. A truth-value as- 
signment to the variables x\, . . . , xn so . . . , xn) = 1. 

Proof: 

1. Interpret the hidden bits as 6a2 6a ~ 1 (bN + A) consecutive pairs of bits. 
Each pair of bits is interpreted as one of three possible characters ac- 
cording to the following scheme 

00 = 0 01 = W 10 = W 11 = 1. 

Later the prover may reveal one of the bits in a character. In a wildcard 
character W the prover can reveal either 0 or 1, whereas 0 can only be 
revealed as 0 and 1 can only be revealed as 1. 

2. Interpret the characters as 2 6o_1 (WV + A) consecutive 6a-character 
blocks. Call a block good if it has exactly 3a W-characters and they 
are either all in the first half of the block or all in the second half of the 
block. Otherwise, call the block bad. 

3. A block has 2 1 ~ 6a chance of being good, so we expect on average (bN + 
A) good blocks. If the number of good blocks is outside the interval 
[bN; bN + 2 A] reveal all hidden bits and halt. 

4. Reveal to the verifier all the hidden bits associated with bad blocks. 

5. Assign the first b good blocks to the first variable, etc., so each variable 
has b blocks assigned to it. The remaining good blocks will not be used. 

6. Interpret each good block as a set of 6 consecutive a-character strings 
(see examples in Figure Q}. Assign in the order of appearance, 5 of these 
a-character strings to the 5 appearances of their variable Xi in the clauses 
as follows. If the witness has Xi = 1, assign the 3 wildcard strings to the 
3 appearances of x t , and the first 2 0/1-strings to the 2 appearances of 
-i Xi- If the witness has Xi = 0, assign the first 2 wildcard strings to the 
2 appearances of ~<Xi and the 3 0/1-strings to the 3 appearances of 
Taking all good blocks into account, each appearance of x it or -<Xi has b 
a-character strings assigned to it. 

7. Each clause has 3 literals, and each literal has a corresponding tuple 
of b a-character strings. Pick at random a literal for which the b a- 
character strings only contain wildcard characters. Such a literal must 
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exist since the clause is satisfied by the truth- value assignment. For the 
other two literals reveal a random bit in each character’s bit pair, thereby 
revealing two a 6-bit strings. In the remaining wildcard literal, reveal in 
each wildcard character one of the bits, such that the revealed a6-bit 
string is the exclusive-or of the two other a6-bit strings. 

8. The proof consists of the revealed bits. If the number of good blocks is 
outside the interval [6V; bN + 2 A] the proof reveals all hidden bits. Else, 
the proof reveals the hidden bits of the bad blocks and a ^-fraction of 
the hidden bits in the first bN good blocks. 

Verification: 

1. If the proof reveals all hidden bits, return 1 if the number of good blocks 
is outside the range [bN-, bN + 2 A\ and else return 0. 

2. Verify that there are no good blocks among the blocks where all bits 
have been revealed. 

3. Verify that there are at most bN + 2 A blocks where some of the bits 
remain hidden. Associate the first bN blocks with the variables in the 
order of appearance. 

4. Verify that in each of the bN blocks corresponding to variables, exactly 
5 of the 6 a-character strings have one revealed bit in each character. 
Verify also that in each block either the last a-character string in the 
first half of the block, or the last a-character string in the second half of 
the block has no revealed bits. Based on this, each revealed a-bit string 
can be uniquely associated with a corresponding literal in a clause. 

5. For each clause, verify that the exclusive-or of the two first a6-bit strings 
corresponding to the first 2 literals equals the a6-bit string corresponding 
to the third literal. 

6. Return 1 if all verifications passed, else return 0. 

In the first step, note that there is 50% chance that a character is a wildcard 
and 50% chance that it is a 0 or a 1. Later, the prover will open some of the 
characters by revealing one of the bits. Wildcards can be opened as 0 or 1, 
whereas 0 can only be opened as 0 and 1 can only be opened as 1. The prover 
sets up the strings so wildcards correspond to true literals and non-wildcards 
correspond to false literals. In satisfied clauses there is a true literal, which can 
be opened at will. This is what gives the prover with a satisfying assignment the 
power to convince the verifier. On the other hand, in an unsatisfied clause there 
will only be non- wildcard characters associated with the false literals, which will 
reduce the power of the prover and make it hard to convince the verifier of a 
false statement. Finally, for zero-knowledge we can set more of the characters to 
be wildcard characters. This will make it possible to simulate a proof without 
knowing a satisfying truth assignment for the statement. 

We interpret the string of characters as blocks of 6a characters. There will be 
an expected number of bN + A good blocks. We can use Chernoff-bounds to see 
that there is high probability that most of the hidden blocks that have not been 
revealed are indeed good blocks. The point of sampling good blocks is that they 
represent a consistent view of a variable. All true literals are assigned wildcard 
strings, all false literals are assigned non-wildcard string. 
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|010 . . . 101|100 . . . 011|010 . . . 110 1 IP IF . . . w \ ww . . . w\ww ... w ] 

| WW . . . W\WW . . . W\WW . . . W|010 . . . 110|000 . . . 111|100 . . . ioT| 

Fig. 1. Two examples of good blocks 


The important thing to note is that with wildcard string, the prover may open 
the true literals to any a-bit string. For the false literals, however, the prover 
is bound to a particular a-bit string. We require that in each clause, the prover 
should open 3 a-bit strings, such that they exclusive-or to 0. In clauses with a true 
literal this is easy to accomplish, since the prover may open the corresponding 
wildcard string to any a-bit string. This gives us completeness. In unsatisfied 
clauses, however, the prover has 3 fixed a-bit strings and the probability of their 
exclusive-or being 0 is 2~ a . For each unsatisfied clause, we therefore get a good 
chance of catching a cheating prover. 

We have now described the main idea in the construction. The prover has 
some degrees of freedom in choosing the statement, taking advantage of a few 
bad blocks that may be camouflaged as good blocks, etc. However, by repeating 
the proof b times in parallel and using the fact that for unsatisfiable statement 
there is actually a constant fraction of unsatisfied clauses no matter what the 
truth assignment is, we can ensure that a cheating prover still has very small 
chance of convincing the verifier on a false statement. 

Theorem 1. For sufficiently large N the protocol given above is a hidden-bits 
NIZK proof for 3SAT5 with perfect completeness, (a, 2 6 lo « 3 N ) -soundness and 
perfect zero-knowledge with a hidden string of size £h(N) = 0(N log N). 

We refer to the full paper for a proof. 

5 Implementing the Hidden Bits Proof with Trapdoor 
Permutations 

Trapdoor permutations. We will now implement the hidden bits NIZK 
proof using trapdoor permutations. A trapdoor permutation is a triple of al- 
gorithms (At, F, A -1 ). At generates a public key pk , which we for convenience 
will assume has k bits, and a secret key sk for the trapdoor permutation. F p k 
and AT 1 are efficiently computable permutations of fc-bit strings, such that 
F P k(Ffk id)) = V- We will assume it is hard to compute F~^ without knowl- 
edge of sk. All trapdoor permutations can easily be converted into trapdoor 
permutations with a hardcore predicate [GL89| so we will assume the existence 
of a hardcore predicate B for the trapdoor permutation. If y <— (0, l} fc is chosen 
uniformly at random then B(F~ k 1 (y)) is uniformly random in {0, 1} and given 
only ( pk,y ) it is computationally hard to decide B(Ff k }(y)). 
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Implementing the hidden bit string. To implement a hidden bit string 
with N' random bits, we generate a common reference string a consisting of 
k(4N' + 4 A') uniformly random bits. There is a range of choices of A', for 
the sake of concreteness let us say A' = [(TV')?]. The prover picks a trapdoor 
permutation and interprets a as 4 TV' + 4 A' images of the trapdoor permutation. 
This gives the prover 4JV' + A A' secret hardcore bits. The prover can selectively 
open some of the hardcore bits by computing the corresponding preimages and 
giving them to the verifier. This idea first described in jKbSbf)| indicates how we 
can generate hidden random bits that the prover can see and selectively disclose 
to the verifier. 

Our hidden bits proof has perfect zero-knowledge if the simulator can choose 
the hidden bits itself. Once a trapdoor permutation has been chosen we cannot 
alter the preimages though so we have not yet implemented the hidden bits 
model in the adaptive zero-knowledge sense. The problem is that the common 
reference string is chosen before the adversary picks the statement and therefore 
the simulator needs to get hidden bits out of the simulated common reference 
string that can be revealed as both 0 and 1 depending on what is needed in the 
simulation. Our solution is to interpret pairs of hardcore bits as hidden bits as 
follows: 

00 = 0 01 = 5 10=5 11 = 1. 

The prover reveals a hidden bit by revealing one of the two preimages associated 
with it. This means it is bound to open 0 as 0 and open 1 as 1, but it can open 
a soft bit 5 as either 0 or 1. In the zero-knowledge simulation, we will set up the 
common reference string such that all hidden bits are soft. When all hidden bits 
are soft, the zero-knowledge simulator can open them as it likes and simulate 
the hidden bits proof. 

When half the hidden bits are soft we have to be careful to preserve soundness 
though. We therefore require that the prover reveals the preimages corresponding 
to soft hidden bits. On average the prover should reveal N' + A' soft hidden bits; 
and the verifier checks that at last N' soft hidden bits are revealed. This leaves 
the prover with approximately N' hidden bits, which mostly will be hard hidden 
bits which can only be opened as 0 or only be opened as 1. Soundness will now 
follow from the fact that most of the remaining hidden bits are uniformly random 
hard bits. 

NIZK proof. We will now give the full NIZK proof for circuit satisfiability. 
The statement will be a circuit C and the prover will have a satisfying witness 
w so C(w) = 1. We have to be careful that the prover chooses a well- formed 
public key for the trapdoor permutation and will therefore use an NIZK proof 
(£ we ii , P W eih Kveii) for well-formedness. This NIZK proof could for instance be 
Kilian and Petrank’s original NIZK proof |K IbtSj . which would have a cost of 
poly(fc) bits. Alternatively, we could assume the existence of certifiable trapdoor 
permutations where the well-formedness of the public key is directly verifiable. 
Or we could use Bellare and Yung’s |B Y92j method of sampling preimages to 
show that the public key describes a function close to a trapdoor permutation and 
then give a more careful probability analysis that deals with the small statistical 
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bias this might introduce in the hidden bits. We will in the following let N' = 
0 (N log N) = n polylog(n) be the number of bits needed in the hidden bits 
model for circuits with n gates. 

CRS: a = (a 1A , ..., a m , +Wl a well ) <- {0, 1}K^')+^W. 

Proof: 

1. Generate keys for the trapdoor permutation (pk, sk) <— K T ( l fc ). 

2. Compute an NIZK proof 7r we ii for pk being a valid public trapdoor per- 
mutation key. 

3. Compute the hardcore bits hi i, hi 2 , • • • , h 2 N'+ 2 A' i,h 2 N'+ 2 A' 2 as hi j = 
B(F~ k 1 (a i , j )). 

4. If there are less than N' pairs or more than N 1 + 2 A’ pairs where hip = 
hi y 2 return the proof (pk, 7T we ii , F~ k (dip), . . . , F~ k (d2N l +2A l , 2 ) and halt. 

5. For each pair h iy 1 ^ h iy 2 include preimages Trip = F~ k (dip) and ir it 2 = 
F- k \a iy 2) in the proof. 

6. Let p = (pi, . . . ,Pn’) be the values of the first N' remaining pairs of 
hardcore bits. 

7. Run the hidden bit string proof on p to get tth <— P H (p,f(C),f w (w)). 

8. For all revealed bits pi in the hidden bits proof tth corresponding to 
hardcore bits hj,i = h h 2 choose at random to include either Tr h i = 
F~ k (<jj y i) or TTj t 2 = F~ k (aj y 2 ) in the proof. 

The proof is of the form (pk, 7T we ii , JTijjj , . . . , 7 
Verification: 

1. Verify the NIZK proof 7r we ii for pk being a correctly generated public 
trapdoor permutation key. 

2. Verify the correctness of all the preimages dig = F pk (iii t j). 

3. Compute the corresponding hardcore bits hij = Bfaj). 

4. If all hardcore bits have been revealed, verify that there are less than N 1 
or more than N' + 2 A' pairs hip = hip and accept if all verifications 
have succeeded. 

5. Verify that all revealed pairs of hardcore bits have hip 7 ^ h t p and that 
there are between N 1 and N 1 + 2 A' pairs left in which at most one 
hardcore bit has been revealed. 

6. Interpret the remaining hardcore bits as indices and revealed bits as a 
hidden bits proof (ii,p tl , ... ,i t ,p it ) and accept if all verifications have 
succeeded and V H (f(C),ii,p il ,...,i t ,p it ) = 1. 

The construction leads to the following theorem that we prove in the full paper. 

Theorem 2 . Assuming the existence of trapdoor permutations on { 0 , l} fc with 
k-bit keys there is an NIZK proof for circuit satisfiability with perfect complete- 
ness, statistical soundness and computational zero-knowledge. The size of the 
common reference string and the NIZK proof is \C\ poly log \C\ • fc + poly(fc) bits. 
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6 Implementing the Hidden Bits Proof with 
Naccache-Stern Encryption 

Naccache-Stern encryption. The Naccache-Stern cryptosystem based on 
higher residues |JNSf)8| has message space Z p where P is a product of small 
primes. We will show how to reveal the plaintext modulo a small prime factor p t 
without revealing the rest of the plaintext. Interpreting even numbers as 0, odd 
numbers as 1, and Pi — 1 as “ignore” we get a uniform distribution of hardcore bits 
modulo Pi assuming the Naccache-Stern encryption is semantically secure. With 
Naccache-Stern’s cryptosystem having constant expansion rate and each prime 
factor of the message space being of logarithmic size in the security parameter 
we can construct a hidden random bits implementation that is quasi-linear in 
the number of hidden bits. 

In the Naccache-Stern cryptosystem the public key is of the form pk = 
(. M,P,g ), where M is a fc-bit RSA modulus, P is a product of small odd 
primes p\, . . . ,pa so gcd(8P 2 , <p(M)) = 4P, and 9^m is a group element with 
ord(gf) = . The secret key is sk = g>(M). Encrypting a message m £ Zp 

with randomness r Z M yields the ciphertext 

c = g m r p mod M. 

To decrypt a ciphertext c, compute = (g !£ ^ ) m and use the Pohlig- 

Hellman algorithm for finding discrete logarithms in groups with a smooth order 
to compute m mod P. 

The cryptographic assumption underlying our NIZK proof is that there is a 
probabilistic polynomial time key generator Kus for generating Naccache-Stern 
keys (pk, sk) such that the cryptosystem is IND-CPA secure and the number 
of small prime factors in P is larger than /3j^ for some constant ,3 > 0. We 
refer to Naccache and Stern |NSH8| for concrete key generator suggestions and a 
proof that the resulting cryptosystem is IND-CPA secure under a computational 
intractability assumption related to higher residues. 

Opening and simulating openings of hardcore bits. In the implemen- 
tation of the Naccache-Stern cryptosystem, the prover will generate Naccache- 
Stern keys pk = ( M,P,g ) and sk = p(M). The random string is interpreted 
as a series of fc-bit integers where those outside Wj* M are ignored. An integer 
in l.* M can be interpreted as a ciphertext encrypting some message m mod P 
where P = n|=i Pi- Since there are d = \ prime factors in P, this gives the 
prover d residues {m mod pi}f =1 , each of which is translated into a hardcore bit. 
The prover will use the first N' hardcore bits as the hidden bit string and since 
she gets bits per element in Z M she only looses a logarithmic factor in 

implementing the hidden bit string. 

The key observation needed for using Naccache-Stern encryption in this way 
is that the prover may verifiably disclose m; = m mod Pi without revealing the 
other parts of the message. Consider a particular fc-bit block ceZ* M , which the 
prover can decrypt to get the plaintext m £ Zp. All c e Z M are valid cipher- 
texts but there are P different r £ h* M so c = r p g m so we will for notational 
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convenience fix an arbitrary such r in the following. To prove = m mod Pi is 
indeed part of the plaintext the prover gives a proof vr satisfying 

w p = (cg~ mi )£. 

Raising both sides to the power shows 

1 = («*)*££ = (r p g m ^ m< y**& 1 = 

telling the verifier that rrii = rn mod p, since P|ord(g). The prover with the 
secret key can compute a random n satisfying the equation by choosing 

s £ Z* M at random and setting 

, = to -”0 (p ~‘"° dE¥2) ^. 

In the NIZK proof, we will generalize this idea to verifiably disclose m mod Pj 
for arbitrary Pj = n ie , Pi. This makes it possible for the prover to reveal many 
values {m mod Pi}iei simultaneously. 

There is a little variation in how many hardcore bits the prover gets out of 
a common reference string since not all fc-bit integers will belong to h* M and 
some hardcore bits are ignored but we can use Chernoff bounds to get a good 
estimate of how many hardcore bits the prover can extract and tune the proof 
accordingly. Since the verifier obtains proofs n for the correctness of the opened 
hardcore bits the soundness of the hidden bit proof system implies soundness of 
the full NIZK proof for circuit satisfiability. 

The zero-knowledge property will come from using a different type of public 
key. Instead of using g that has order the simulator will pick g with order 
As we shall see in the security proof, the semantic security of the Naccache- 
Stern cryptosystem implies that the two types of public keys are computationally 
indistinguishable. With the latter choice of public key ord(^) = we can 
write g = {g') P and now a ciphertext is no longer binding since c = r p g m = 
r p (g') mP = {r{g') rn ~ m ') p g m ' is at the same time an “encryption” of m and to'. 
The simulator sets up the common reference string so it contains ciphertexts that 
can be opened to any hardcore bits it chooses thereby allowing it to simulate 
the hidden bits proof. 

NIZK PROOF BASED on Naccache-Stern encryption. We will now give the 
full NIZK proof for circuit satisfiability. The statement is a circuit C and the 
prover will have a satisfying witness w so C(w) = 1. Naccache-Stern keys are not 
directly verifiable, so we let {£ we i\, P W ell) f'weii) be an NIZK proof system for well- 
formedness of a Naccache-Stern public key. This NIZK proof could for instance 
be Kilian and Petrank’s original NIZK proof |K PflSj , which would have a cost of 
poly (/c) bits. We will in the following let N' = 0(N log N) = n polylog(n) be the 
number of bits needed in the hidden bits model for circuits with n gates and let 
A = 0{{N r ) 3). For notational simplicity, we will assume d\N' and N £ Z, 
where d = \ for a constant [J > 0 and S is defined in the protocol. 
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Common reference string: a = (op, ... , a 3 N' , cr we ii) <— {0, 

Proof: 

1. Generate Naccache-Stern keys ( pk,sk ) = (( M,P,g),rj)(M )) <— ft'xs(l fe ) 
with P = Yli-iPi- 

2. Compute an NIZK proof 7r we ii for the well-formedness of pk = ( M , P, g). 

3. Define 5 = d— J2i= 1^7 and let ci, . . . , c N '+a> be the first N of 

crx, . . . , a :>N i G If there are less than of them return the 

proof 7 r = (pk, sk). 

4. Decrypt cj, . . . , c.v'+a'. to get plaintexts mi, ... , m #/+& . Define rriij 
w mod pi . 

5. Define hip, . . . , h d W '+a' as hij = X if rriij = —1 and otherwise hij = 0 
if rriij is even and h h j = 1 if rriij is odd. If there are less than N' or more 
than N' + 2 A' hardcore bits hij G {0, 1} return the proof 7r = (pk, sk). 

6. Define p = (pi , . . . , pn>) as the first N' hardcore bits hij. 

7. Run the hidden bit string proof on p to get 7 th *— Ph(p, /(C), f v ,(w)). 

8. Define rriij as revealed if the hardcore bit hij is revealed in 7 th or 

hij = ’ 

9. Let for all j the set If C {1, . . . ,d} be the indices i for which rriij is 
revealed. Define rnj :i = m.j mod Pj 3 where P] t = X\ i&1 Pi- Compute 

(P - 1 1 nod^X)^- 

7 Tj = (eg b ) b s j p for a randomly chosen s i Z m- 

The proof is either 7r = (pk, sk) or 

7T = (pk,'K v ,e\hIr,ini-L,' K i, . . . ,I n'+a.' , , tt j v '+ a ' / 

Verification: 

1. If the proof is of the form 7r = (pk, sk) accept it if and only if the key is 
well-formed (the secret key can be of a form so this can be verified) and 
there are less than N ~^ A values in or the number of valid hardcore 
bits hij e {0, 1} is less than N' or higher than N' + 2 A'. 

2. Verify the NIZK proof 7r we ii for pk = (M, P, g) being a correctly gener- 
ated public Naccache-Stern key with d small odd primes p\,...,pd- 

3. Identify the first N values ci, — , c n >+a> G Z* m . Reject if there are 
less than N of them. 

4. Verify the proofs 7r ? p = (cg~ mi r) Pl r mod M and compute the hardcore 
bits hij G {0, 1} corresponding to mi 1 , rrir N , A , . Reject if the num- 
ber of unopened hardcore bits plus opened valid hardcore bits hij is less 
than N' or more than N' + 2 A'. 

5. Interpret the hij £ {0,1} as a hidden bits proof (i\, p t , , ■ ■ ■ , it, Pi,)- 
Accept if the verifications succeed and V H (f(C),i 1 ,p il ,...,i t ,pi t ) = l. 

The construction gives us the following theorem that we prove in the full paper. 


2 We represent elements of as integers in the range (1, . . . , M — 1}. 
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Theorem 3. Assuming the Naccache-Stem cryptosystem is IND-CPA secure, 
there is an NIZK proof for circuit satisfiability with perfect completeness, sta- 
tistical soundness and computational zero-knowledge. The size of the common 
random string and the proof is \C\ polylog \C\ + poly(fc) bits. 

7 Conclusion 

We have suggested the shortest known NIZK proofs based on standard in- 
tractability assumptions. Based on trapdoor permutations we get an NIZK 
proof and common reference string of size \C\k polylogfc bits (where we use 
that polylog|(7| = polylogfc). This is a factor pol y logfc improvement over Kilian 
and Petrank’s construction pCPDSj . 

Based on a specific number-theoretic assumption related to factoring, we get 
a very efficient implementation of a hidden bit string and an even shorter NIZK 
proof with a complexity of \C\ polylogfc bits. This is asymptotically a factor 
polylogfc more efficient than the pairing-based constructions by Groth, Ostrovsky 
and Sahai |G( ISOfihl KlOSUfiaj (assuming the group elements have size poI yi og fc ) 
although it remains an open problem to reduce the polylogarithmic factor to 
make our construction practical. 
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Abstract. We design cryptographic protocols that recognize best case (optimistic) 
situations and exploit them. As a case study, we present a new concurrent zero- 
knowledge protocol that is expected to require only a small constant number of 
rounds in practice. To prove that our protocol is secure, we identify a weak prop- 
erty of concurrent schedules — called footer-freeness — that suffices for efficient 
simulation. 

Keywords: concurrent zero-knowledge, rational, optimistic. 


1 Introduction 

Cryptographic protocols anticipate worst-case behavior and therefore often contain 
complicated provisions that are meant solely to handle them. Such provisions can be 
expensive and counter-intuitive. 

To circumvent these side-effects but still construct protocols that are secure against 
worst-case behavior, this paper proposes to use an optimistic technique for building 
protocols that is inspired by work on Byzantine agreement. The aim is to design proto- 
cols that can recognize the best cases and optimize for them, even in the midst of the 
protocol execution. 

Optimism has been employed by researchers in distributed computing (e.g. the (Fast) 
Paxos algorithm IILam()5l ) and fair exchange IAS W 9 XI : the novelty of this work is to 
exploit optimism for the problem of concurrent zero-knowledge. Optimistic protocols 
make no attempt to improve worse-case performance. In fact doing so would require 
overcoming a lower bound argument in the case of zero-knowledge. Nonetheless, the 
optimistic cases that we exploit are common and meaningful to discuss. 

1.1 Concurrent Zero-Knowledge 

When many instances of a stand-alone zero-knowledge protocol are executed at the 
same time, the combination of all runs may leak information about the theorem. The 
standard methodology for arguing that a protocol transcript “does not leak informa- 
tion” is to exhibit a simulator algorithm that is able to produce transcripts that are 
indistinguishable from actual transcripts of protocol executions. Dwork, Naor and Sa- 
hai IDNS98I observed that in a concurrent zero-knowledge setting, a malicious verifier 
who controls the schedule of protocol messages can induce a schedule for which a 
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Nested Scheduling 


Fig. 1. Illustration of an ’’average-case” schedule, and an adversarial one 


“naive” simulation algorithm will require exponential time (and thus the execution may 
leak information). An example of such a scheduling of messages is given in [I] In the 
bottom (red) schedule, the verifier has “nested” many executions of the zero-knowledge 
protocol. This type of scheduling is a concurrency attack on the zero-knowledge prop- 
erty of the original protocol and it captures the fundamental problem with designing 
efficient concurrently secure zero-knowledge protocols. 

To address the concurrency attack, Dwork, Naor and Sahai IIDNS98I1 proposed a 
timing model assumption and a protocol that limits the amount of nesting that can 
occur in an adversarial scheduling. Their protocol was an argument system; Goldre- 
ich Kto 1()2I later showed that proof systems can also be constructed in such a model. 
Pass, Tseng, and Venkitasubramaniam HPT V 1 (i present an eye-for-an-eye solution in 
the timing model that reduces the overall delay of the protocol. Other protocols that 
handle concurrency attacks have been obtained by introducing different setup assump- 
tions IIDS98llDam99IICXKiM()()l such as a common reference string or a PKI. 

Richardson and Kilian IIRK99II constructed the first concurrent zero-knowledge 
argument system in the standard model without extra setup assumptions. Kilian and 
Petrank IKFBTll introduced a simulation technique which led to simpler and cleaner 
analysis and fewer rounds. Finally, the work of Prabhakaran, Rosen and Sahai lPkS()2i 
(PRS) further simplified and improved the analysis of the Kilian and Petrank protocol to 
obtain a protocol with a; (log n) rounds. This round complexity is close to optimal in the 
standard model because without any set-up assumptions, Canetti, Kilian, Petrank and 
Rosen IIGKPR0HIC.KPR02I show that concurrent zero-knowledge argument systems for 
non-trivial languages using a “black-box” simulator require at least J?(log n/ log log n) 
number of communication rounds. In order to show this lower bound, they rely on a 
framework proposed by Kilian, Petrank and Rackoff HKPR98H . with further improve- 
ments from Rosen llRosMI . and present a specific malic ious verifi er and a particularly 
difficult schedule of messages. Recently, Pandey et al. HPPS+081 have proposed new 
precise concurrent zero-knowledge proofs with similar round complexity. 

It has been a long-standing open problem to build communication-efficient con- 
current zero-knowledge protocols. To circumvent the lower bound on the round com- 
plexity from lICKPROIlICKPROa . prior work (1) introduces additional trust assump- 
tions |DNS98 DS98 Dam99, CGGM00], (2) relaxes the definition of security to allow 
quasi-polynomial time simulation IPa.s()3l IF.S04I IPV()%1 . or (3) employs a more com- 
plicated and powerful non-black-box simulation technique IBarOll and restricted the 
number of concurrent sessions. The latter technique also relies on complex tools and 
techniques that require NP-reductions. 
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Overview of slots. Before detailing our approach, let us review the idea employed by 
the protocols from 11RK99I 11 IPRS021 V 1 Qj to defend against concurrent attacks. 

In the first phase of the protocol, the verifier creates an irrelevant secret (such as a com- 
mitment to a string) and then (repeatedly) proves in zero-knowledge to the prover that 
it knows the secret. Each block of protocol messages during which the verifier proves 
knowledge of this secret is called a “slot.” In the second phase, the Prover proves that 
it either knows the witness to the original theorem or that it knows the verifier’s secret 
using a witness indistinguishable protocol. Prior work HRK99I IKP01I IPRS02I IRosOftl 
proves that if the first phase has enough slots, then a simulation strategy can be 
devised such that for any schedule of messages, the simulator can successfully ex- 
tract a witness from the verifier’s proof and then use that witness in the second 
phase. 

Optimistic Defense. We propose an optimistic defense against concurrency attacks in 
which we relax the requirements from prior work and specifically IICKPROII that (1) 
each protocol session involves an independent prover who does not know anything about 
the other protocol instances and (2) each protocol execution has exactly the same (fixed) 
number of rounds. Doing so allows us to build protocols that optimistically avoid the 
worst-case schedules used in the lower bounds. 

When one server handles many concurrent requests, the server knows the exact 
schedule of messages. The work of Persiano and Visconti iipvnsi also exploits this 
relaxation by using a Prover who counts the total number of bytes sent in all 
session^. 

We believe this to be a reasonable and practical relaxation. In many applications of 
zero-knowledge proofs, for example, the prover will be the same party (some server), 
and it will have the opportunity to share state between protocol sessions. In particular, 
servers on the internet routinely keep track of the various protocol session statistics such 
as the total number of protocol executions that run at a given time. Operating systems 
which make quality of service guarantees also inspect different protocol instances in 
order to throttle connections. While the original motivation of the concurrent session 
model in which the Prover instances run independently of one another was to sim- 
plify implementation of systems, there is no fundamental implementation reason that 
prevents sharing the global scheduling information among the Prover algorithms in dif- 
ferent protocol sessions. (Of course, requiring the Verifiers to coordinate their sessions 
would be unrealistic, since the Verifiers may be separate parties.) 

In our model, each session of the protocol may require a different number of com- 
munication rounds. This relaxation allows us to instruct the prover to handle schedules 
which are easier to simulate differently than schedules which are more difficult. In 
contrast, in typical cryptographic protocols, each execution of the protocol has a fixed 
number of messages and each successful invocation usually requires exactly the same 
number. 

Our protocol can “short circuit” the normal protocol when it is clear that such a 
shortcut preserves the security properties. To the best of our knowledge, this idea has 
not been applied in the context of a security guarantee such as zero-knowledge. 


1 In contrast to this work, their solution 


i-blackbox simulation techniques. 
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1.2 Our Protocol 

The idea behind our fast track protocol is to discourage the verifier V* from nesting 
sessions within the slots of other sessions by penalizing a verifier whose slots have 
nested sessions. The penalty will be to gradually add more slots to the protocol until 
either enough slots with no (or few) nestings occur, or a pre-specified bound on the 
number of rounds is reached. 

The basis for our protocol is the cZK. protocol by Prabhakharan, Rosen and Sa- 
hai llPkS()2ll which uses statistically hiding commitments IN Y 891 IDPP93I and Blum’s 
3 -message protocol for Hamiltonicity Iklu&fil . The only difference between our proto- 
col and the PRS protocol is that it contains a special provision for exiting the “pream- 
ble” stage. Early exits are “approved” by the prover, provided that there is a slot in the 
current session that does not have any other session footers within it. Assuming that 
verifiers answer quickly, it is expected that the number of nested sessions within slots 
is generally small, optimistically resulting in an empty slot and thus in straightforward 
simulation. 

Verifiers have incentive to answer fast since the longer they delay their answer, the 
more likely they are to have nested sessions (from some other verifier) within the slot 
that they are currently executing. Once the slot has a nested session within it, early exit 
is postponed to future rounds, and another slot is added to the protocol’s execution. 
This process continues until k = cc(log n) slots have been performed, in which case the 
Hamiltonicity proof takes place and the protocol terminates. 

At the expense of a more involved analysis, one should be able to replace the PRS 
protocol with any other instantiation of a cZK protocol that follows the RK “multi 
slot” paradigm, and obtain analogous results. One attractive instantiation would be the 
DDH-based cZK, protocols of Micciancio and Petrank IIMP03I . These protocols admit 
fairly efficient implementations, and are thus a good match for our optimistic approach, 
whose primary objective is increased efficiency. 

But worst-case schedules still require many rounds! Note that worse-case sched- 
ules still require the same number of rounds as PRS. Such an argument applies to any 
optimistic protocol, such as the Fast Paxos or Fair exchange protocols as well. The 
worst-case schedule, however, may be rare and avoidable by incentivized verifiers. 
Comparison with Other Proposals. In Appendix El we compare our approach to 
other simple proposals and to the timing model proposed by 

2 Optimistic Rational Concurrency 

Let (P, V) be an interactive proof (resp. argument) for a language L, and consider a sin- 
gle concurrent adversary (verifier) V* that, given input xGL, interacts an unbounded 
number of times with P (each with common input x) without any restrictions over the 
scheduling of its messages. 

Formally, use the standard model for concurrency in the timing model put forth 
by Dwork, Naor, and Sahai I1DNS98I I. The adversary V* takes as input the prover’s 
partial conversation transcript that includes the times on the provers local clock when 
each message was sent or received by the prover. The adversary’s output is either a 
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tuple ( recv , V, a, t), indicating that P receives message a from V at local time t or 
(send, V, t ), indicating that P must send the next message to V at time t on P’s lo- 
cal clock. In both cases, the time t that adversary chooses must be greater than all the 
times given in the input transcript (i.e., the adversary cannot rewind P), the session 
with V must be well-formed, and a must be in the protocol’s “message space” (i.e. stan- 
dard well-formedness conditions apply). If these conditions are not met, the transcript is 
discarded. 

The transcript of a concurrent interaction consists of the common input x, followed 
by the sequence of prover and verifier messages exchanged during the interaction. We 
denote by view£» ( x ) a random variable describing the content of the random tape of 
V* and the conversation transcript between P and V* as described above. 

Definition 1 (Concurrent Zero-Knowledge). Let (P, V) be an interactive proof 
system for a language L. We say that (P, V) is concurrent zero-knowledge, if for ev- 
ery probabilistic strict polynomial-time concurrent adversary V* there exists a proba- 
bilistic polynomial-time algorithm Sy* such that the ensembles {view£* (x)} xG l and 
{Sv.(x)} x^L are computationally indistinguishable. 

Discussion. There may be other verifiers that are also interacting with P at the same 
time as V*. In prior work, these sessions are ignored because either the monolithic 
adversary V* can incorporate these sessions if they can be used to cheat, or because 
these extra sessions are completely independent of V* ’s view. 

In our case, however, these extra sessions by honest verifiers are not completely 
independent of V* ’s view0 In the protocol we suggest, for example, a verifier will learn 
when one of its slot is not footer-free, and therefore it will learn the presence of another 
session. This is not necessarily the case with other concurrent ZK protocols such as 
PRS because the number of rounds in those protocols are not related to the schedule of 
messages. However, the aim for a zero-knowledge protocol in a networked setting is to 
ensure that no information about the witness w for instance x is leaked; we feel that it is 
reasonable for a protocol to leak network timing information because such information 
is typically leaked by the underlying network (or by timing or side channels). 

To model this, we give V* full control over the timing of all network messages 
including the Prover’s messages and the timing of the messages from the honest verifier 
sessions that are not controlled by V* . Although this is syntactically the same formal 
model with a single V* as in prior work, there is a subtle difference. Our protocol and its 
simulator essentially guarantees that “a verifier V' who controls a subset of the sessions 
learns no more through interaction with P than a malicious verifier V* who controls all 
network traffic, and such a verifier learns no more than the polynomial time simulator 
who does not have the witness.” 

Notation. We use the symbols (VO), (PI), (VI), . . . , (Pj), (Vj) to denote the mes- 
sages in the preamble ; these messages are completely independent of the common input 
and they serve to enable a successful simulation in the concurrent setting. 

Every round (slot) in the preamble (i.e., every (Pj) , (Vj) pair) is viewed as a 
“rewinding opportunity.” Successfully rewinding even one slot in the preamble is suf- 

2 We thank the anonymous reviewer for pointing out this subtle distinction. 
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P (vo) <= V 



Fig. 2. A fc -round preamble 

ficient in order to cheat arbitrarily in the actual proof (messages (pi), (vl), (v2)) and 
thus complete the simulation. 

One problem faced by a cZK simulator is that rewinding a specific session may 
result in loss of work done for other sessions, and therefore require the simulator to do 
the same amount of work again. This will happen whenever the rewound slot contains 
other sessions “nested” within it. 

For example, if a slot of session B contains the (VO) message of session A within 
it, rewinding this slot will cause all simulation work done for session A to be lost. This 
is because the simulation of a session A hinges on the simulator “extracting” specific 
values that have been committed to by the verifier in message (VO) of this session. 
Rewinding past the (VO) message of A could alter the history of interaction up to this 
message and may result in a modification of its contents (rendering the extracted values 
irrelevant). 

The simulator must invest work in session A whenever session A’s preamble com- 
pletes before the end of the slot of session B. In such a case, reaching the end of session 
A’s preamble without having extracted the value committed to in message (VO) of ses- 
sion A may prevent the simulator to proceed beyond the end of this preamble (since 
the malicious verifier may refuse to continue if is not convinced in the validity of the 
statement being proved in session A). Failure to proceed beyond the end of the session 
A preamble translates directly to failure to rewind the session B slot within which this 
preamble is nested. 

Definition 2 (Nested Footer). Slot j of session B is said to have a nested footer of 
session A within it if session A’s (V k) message occurs between messages (Pj), (Vj) 
of session B. A slot is said to be footer free if it has no nested footer. 

Avoiding nested footers enables the completion of the slot between messages (Pj) and 
(Vj) of session B without having to first invest work in simulating session A (implying 
that there is no risk to lose and thus redo this work as a result of rewinding). This 
observation will be crucial to the analysis of the footer-free version of our protocol. 
Two simulation strategies. Currently, there are two known approaches for concurrent 
simulation. The first simulation strategy adaptively looks for slots that do not have 
many sessions with nested headers within them, and this is where it focuses its attempts 
to rewind the interaction with the verifier IIRK.0(fj . The second simulation strategy is 
different in that it performs a sequence of rewinds obliviously of the actual scheduling 
of the messages IKP01I IPRSTT 21 . 
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The main advantage of the second approach over the first one is that it is known 
to guarantee correct “worst case” simulation using fewer slots (O(logn) vs. 0(n e ) 
for every e > 0). However, being oblivious to the actual schedule, it does not seem 
suitable for taking advantage of lack of nested headers and/or footers within a slot. 
As we demonstrate in this paper, by adaptively identifying good places for multiple 
rewindings, the second approach can be tailored to work in our optimistic setting. 

To the best of our knowledge, the idea of taking advantage of the lack of nested 
footers for the sake of improved concurrent simulation is new. As we argue in the paper, 
lack of nested footers within one slot is a fairly weak constraint on the schedule, and 
may be enforced using a variety of realistic mechanisms. 

The protocol. Our protocol will have the prover monitor the scheduling of messages, 
and identify footer-free slots on the fly; once such a slot is identified, there is no need 
to keep adding slots to the execution of that specific session, so the protocol moves on 
to the execution of the actual constant-round ZfC protocol. 


Common Input: x 6 {0, 1}", security param n, max. # rounds param k = o»(log n). 
Prover’s Input: a witness w such that Rl (x, w) = 1 

Stage 1: 

P — > V (P0): Send first message of perfectly hiding commitment Com. 

V — > P (VO): Using the commitment Com, commit to random a, 

{<r}j}ij = i such that <Tij © cr\j = cr for all i, j. 

Slot j: 

P —t V (P j): Send a random challenge t% = rij , . . . , rk,j 
V — > P (Vj): Upon receiving a message r», decommit to cr 1 1 P , . . . , <r k k f 
P — > V: If any of the decommitments fails verification, abort. 

If slot j is footer free or j = k move to stage 2. 

If slot j is not footer free and j < k move to slot j + 1. 

Stage 2: P and V engage in Blum’s 3-round Hamiltonicity protocol using challenge a: 

1. P — y V (pi): Use witness to produce first message of Ham protocol 

2. V — > P (vi): Decommit to a and to 

3. P — > V (p 2 ): If decommitments are valid and cr°j © (jV = cr for all i, j, answer 
cr with third message of Ham protocol. Otherwise abort. 


Fig. 3. Fast-track concurrency 


Completeness and soundness of ProtocolQlare inherited from the PRS protocol, and 
in particular follow from Proposition 4.3.2 in IIKos()6l . We now turn to demonstrating 
the cZK property. 

2.1 The Simulator 

We exhibit the cZK. property using a black-box simulator S. Let V* be a concurrent 
adversary verifier. S will rewind the interaction with V* and examine its input/output 
behavior. The rewinding strategy of the simulator is specified by a SOLVE procedure 
whose goal is to supply the simulator with V*’s “challenges” before reaching stage 
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2 in the protocol. This is done by rewinding the interaction with V* while trying to 
achieve two “different” answers to some (Pj) message. We refrain from specifying the 
way stage 2 messages are handled and focus only on stage 1 messages. For standard 
details on how to handle stage 2 messages see IIKosOfill . 

The timing of the rewinds performed by the SOLVE procedure depends on the number 
of stage 1 verifier messages received so far and on the size of the schedule. However, 
whenever it encounters a situation in which a slot of a given session is footer-free, the 
SOLVE procedure (adaptively) assumes that this is its only chance to solve that session 
and performs (an expected polynomial number of) extra rewinds in order to make sure 
that the slot is successfully rewound. The number of extra rewinds is not determined in 
advance, and is induced by the analysis of a constant round ZK. protocol for MV by 
Rosen lfkos()4i . 

At a high level, the SOLVE procedure splits the first stage messages it is about to 
explore into two halves and invokes itself recursively twice for each half (completing 
the two runs of the first half before proceeding to the two runs of the second half). At the 
top level of the recursion, the messages that are about to be explored consist of the entire 
schedule, whereas at the bottom level the procedure explores only a single message 
(and as we said may do so multiple times, depending on whether the recursive call 
corresponds to a message-free slot). The solve procedure always outputs the sequence 
of “first explored” messages. 

The input to the SOLVE procedure consists of a triplet (£, hist, T). The parameter 
£ corresponds to the total number of verifier messages, the string hist consists of the 
messages in the “first visited” history of interaction, and T is a table containing the 
contents of all the messages explored so far. The messages stored in T are used in order 
to determine a according to answers (Vj) to different (Pj). They are kept relevant by 
constantly keeping track of the sessions that are rewound past their initial commitment. 
That is, whenever the SOLVE procedure rewinds past the (VO) message of a session, all 
messages belonging to this session are deleted from T. 

The analysis takes advantage of the fact that no rewound slot contains a footer, build- 
ing on the assumption that footer-freeness is an event of non-negligible probability (as 
otherwise it is assumed not to have occurred to begin with). By repeatedly rewind- 
ing, the simulator is likely to run into a footer-free situation again, which means that 
it will not get stuck on that rewinding. This will enable it to successfully complete the 
rewinding attempt, and to solve the corresponding session (thus avoiding getting stuck 
on sessions that have strictly less than k slots). 

2.2 Analysis of the Simulator 

To show that the simulator S succeeds we will need to argue that: (1) S' runs in poly- 
nomial time, (2) conditioned on the success of the SOLVE procedure, the output of S 
is indistinguishable from a concurrent interaction between P and V* , and (3) for every 
session i e {1, . . . , m}, whenever session i reaches the second stage in the protocol, 
the simulator will have obtained the value of a in this session if required (i.e. did not get 
stuck ) with overwhelming probability. Once (3) is established, we may apply a union 
bound over the i’s and conclude that SOLVE fails with only negligible probability. We 
focus on (1) and (3). 
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Procedure SOLVEff, hist, T): 

Bottom level (£ = 1): 

1. For each s 6 {1. , to}, if the initial commitment, (VO), of session s does not appear in 
hist, delete all session s messages from T. 

2. Run /3 <— V* (hist, p). If [3 is of the form ( recv , V, a, t), the continue to the next step. 
Else if it is {send, V, t), then uniformly choose a first stage prover message p, append it to 
the transcript at time f, and repeat this step. If t or a are invalid, then halt the simulation 
and output the current transcript. 

3. Let 

- (pi,vi,... ,p t ,v t ) = (hist,p,v) 

- * be the session number to which v corresponds, 

4. If there exists a pair of indices (a, b ) such that a £ [t] and b = t for which: 

- v b ^ ABORT, 

- both V6 and p a belong to session i. 

- the slot between messages p„ and v;, is footer-free. 

then pick one such (a, 6) and rewind interaction to message p a until 

- Vi, f ABORT, 

- both vt and p a belong to session i. 

- the slot between messages p„ and v b is footer-free. 

5. Store the messages gathered in the rewindings along with p, v in T 

6. output T, (p,v). 

Recursive step {l > 1): 

1. Set Ti, (pi, vi, . . . ,Pc/2,v </2 ) <-SOLVE(f/2, hist, T). 

2. Set 72, (pi, vi, . . . ,p*/2,v* /2 ) <— SOLVE(f/2, hist, Ti). 

3. Set T 3 , (p*/ 2+ i, vc/2+i, . . ■ ,p*,v*)<-S0lve(^/ 2, (hist, pi, vi, . . . ,p*/ 2 , v*/ 2 ), Ti). 

4. Set T4, (pe/ 2 +i,V£/2+i, ■ ■ ■ ,pc,vc)<-SOLVE(^/2, (hist,pi, vi, . . . , p*/ 2 , v^ /2 ), T 3 ). 

5. Output %, (pi, vi, . . . , p*, vt). 


Fig. 4. The SOLVE procedure 

Lemma 1. For every m = poly(n), S m runs in ( expected ) polynomial-time in n. 

Proof. We analyze the work invested at any given invocation of level l = 1. For any 
G £ HC, for any choice of hist, p, and of a, b £ {1 ..... t} where a < b, let Co. 6 = 
C a ,b(G, hist, p, v) denote the probability that: (1) the verifier V* does not send ABORT 
in message Vb, (2) both Vb and p a belong to session i, (3) the slot between p a and Vb is 
footer-free, (4) none of the Vj’s correspond to message (VO) of session i, and (5) none 
of the pfs correspond to message (pi) of session i. Let Q' a b denote the probability that 
(1), (2) and (3) occur. The probabilities Ca,& and (' a b are taken over the random choices 
of the invocations of the SOLVE procedure. It can be seen that C a b — Ca,6- 

Using this notation, a pair (a, b ) satisfying conditions (l)-(5) occurs with probabil- 
ity C 0,6 and the SOLVE procedure is expected to repeat the loop in step 4 for at most 
1/Co b times (since the condition in Step 4 is satisfied in each one of the rewinds with 
probability (' a b , independently of other rewinds). For i £ (1,2,3, 4, 5, 6}, let p,;(-j be 
a polynomial bound on the work required in order to perform Step i in level £ ■- 1 of 

the recursion (where in step 4, p^f) = P4, a .b(') counts the number of steps required to 
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perform one rewinding). By linearity of expectation, and because the total number t of 
pairs of messages (and hence pairs (a, b ) £ R) in the history of level £ = 1 is at most 
m ■ (k + 1) (recall that k is the maximal number of rounds in the protocol), the expected 
time required to execute level £ = 1 of the recursion is upper bounded by: 



< Pi(n) + p 2 (n) + p 3 («) + m ■ (k + 1) • p 4 (n) + p 5 (n) + p 6 (n) 

= poly(n) 

Since each invocation of the SOLVE procedure with parameter £ > 1 involves four 
recursive invocations of the SOLVE procedure with parameter £/ 2 , we have that the 
expected work W ( t ) , that is invested by the SOLVE procedure in order to handle i (first 
stage) verifier messages satisfies: 



( 1 ) 


Since the total number of first stage verifier messages in the m sessions of the concurrent 
schedule equals m ■ [k + 1), the total expected running time of the simulation process 
(which consists of a single invocation of the SOLVE procedure with parameter m ■ [k + 
1)) equals W{m ■ (k + 1)). By linearity of expectation we get that the expected value 
of W(m ■ (k + 1)) is upper bounded by: 



We now turn to show that for every G £ HC, the simulator’s output distribution is com- 
putationally indistinguishable from V* ’s view of interactions with the honest prover P. 
Specifically, 

Lemma 2. The ensemble {S^ (G)}ce hc is computationally indistinguishable from 
the ensemble {view£» (G)}gzhc- 

Indistinguishability of the simulator’s output from F*’s view (of m = poly(n) con- 
current interactions with P ) is shown assuming that the simulator does not get “stuck” 
during its execution. Since the simulator S will get “stuck” only with negligible proba- 
bility (see Lem maOl below), indistinguishability will immediately follow. 

The proof actually considers a “hybrid” simulator that on input G = (V,E) £ HC 
obtains a directed Hamiltonian Cycle C C E in G (as auxiliary input) and uses it 
in order to produce real prover messages whenever it reaches the second stage of the 
protocol. Specifically, whenever it reaches the second stage of session s £ {1 .... , m}, 
the hybrid simulator inspects the T table and checks whether it has managed to solve 
session s (thus being able to convince V* in the section stage of session s). If it has not 
managed to solve session s, the hybrid simulator outputs _L and halts. Otherwise, the 
hybrid simulator follows the prescribed prover strategy and generates prover messages 
for the second stage of the session (by using the cycle C it possesses). The key for 
proving the above lies in the following two properties: 
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- First stage messages output by S are (almost) identically distributed to first stage 
messages sent by P. This property is proved based on the definition of the simula- 
tor’s actions. 

- Second stage messages output by S are computationally indistinguishable from 
second stage messages sent by P. This property is proved based on the special 
zero-knowledge property of Blum’s Hamiltonicity protocol. 

We now turn to argue that the hybrid simulator does not get stuck. 

Lemma 3. Let a : N —* N be any super-constant function, let k(n) = a(n) ■ log n, 
and consider any instantiation of Protocol Q] with parameter k = k(n). Then for any 
i £ {1, . . . ,m} the probability of the hybrid simulator getting “stuck” on session i 
during the simulation is negligible. 

Proof The SOLVE procedure is said to get stuck on session i if it reaches the second 
stage of session i and the following events occur: (1) the history of the interaction so 
far does not contain an ABORT message in session i, and (2) the table T does not 
contain two verifier messages (Vj) and (Vj) that are replies to two different prover 
messages (Pj) and (Pj)' ■ Note that if the history of the interaction does contain an 
ABORT message in session i then it is not necessary to obtain a. 

Consider any event in which the SOLVE procedure reaches the second stage of ses- 
sion i, and let hist denote the history of the interaction with which the second stage is 
reached. By definition of the solve procedure hist contains the messages first visited by 
the SOLVE procedure. 

As before, we divide the analysis into two cases. In the first case, the number of slots 
in session i as they appear in hist is precisely k. The key for analyzing this case lies the 
fact that the SOLVE procedure as defined in this paper behaves identically to the solve 
procedure described in IIPRS02B . except that in the bottom levels of the recursion the 
former may potentially perform more rewindings than the latter (but never less). This 
means that whenever the PRS variant of the SOLVE procedure manages to obtain the 
relevant value of o then so does our variant. By the ilPRS()2ll analysis, we know that 
as long as the number, k, of slots is super logarithmic, the PRS variant of the SOLVE 
procedure fails to obtain a with negligible probability. Thus, the probability of getting 
stuck on session i in our case is negligible as well. 

In the second case, the number of slots in session i as they appear in hist is strictly 
less than k. By definition of our protocol, this can happen only if there exists a slot in 
the history of the interaction that is footer-free. 

Claim: Suppose that the number of slots in session i is strictly less than k. Then, the 
schedule of messages as it appears in hist contains a slot in the history of the interaction 
that is footer free. 

Consider now any invocation of a bottom level of the recursion in which a footer 
free slot j of session i appears amongst messages (pi.vi, . . . ,Pt,Yt) = (hist, p, v) . 
Let p a = (Pj), Vb = (Vj) be those messages. By definition of the SOLVE procedure, 
the first messages generated in the visit will appear in hist. Let p = (Pj), v = (Vj) 
be those messages. The simulator will get stuck if and only if: (1) hist does not contain 
an ABORT message in session i (and in particular if V{, f ABORT), and (2) the table T 
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does not contain two verifier messages v;, = (Vj) and vy = (Vj) that are replies to 
two different prover messages p a = (P j) and p a > = (Pj) . Since p a and v& belong 
to the same session, then if condition (1) is satisfied we have that the following three 
rewinding conditions hold: 

- v fe ^ ABORT, 

- both Vf, and p 0 belong to session i, and 

- the slot between messages p 0 and Vf, is footer-free, 

This in particular means that the SOLVE procedure will rewind the interaction in Step 4, 
sending random p’s until it finds another pair p' a = (Pj) , v' = (Vj) in session i so 
thatp a ^ p' Q . 

We next show that the probability of getting stuck (over random choices of p r a = r £ 
{0, l} fc in the visit to the bottom level of the recursion) is precisely l/2 k . Since k is 
super-logarithmic it will immediately follow that the probability that the simulator gets 
stuck is negligible. 

The key observation for the analysis is that, in the event that the slot between mes- 
sages p a and vj, is footer free, it will ultimately be possible to successfully perform the 
rewinding and reach some v' = (Vj) message, without having to “re-solve” a differ- 
ent session that is nested within the j th slot of session i. In other words, conditioned on 
the event of slot j being “footer-free” again (and (Vj) not being equal to ABORT), the 
rewinding will go through smoothly (since the simulation cannot get stuck on another 
session during that specific rewinding attempt). 

For any G € HC, and for any choice of hist, let Ct,a,6 = (i,a,b(G, hist) denote 
the probability that: (1) message Vf, corresponds to a (Vj) message that is not equal 
to ABORT, (2) both Vf, and p a belong to session i, and (3) the slot between mes- 
sages p 0 and vf, is footer-free. The probability Ci,a,6 is taken over the random choices 
of p a . Using this notation, the SOLVE procedure proceeds to Step 4 with probability 
(i,a,b (note that the condition in Step 4 is satisfied in each one of the rewinds with 
probability Q. a j,, independently of other rewinds). We would like to bound the proba- 
bility that S gets stuck (we denote the event of the simulation getting stuck by having 
S output _L). 

__ Let S A denote the simulator’s execution with black box access to a machine A, let 
V* = V*(p 1 ,vi, . . . , p a — i, v a _ i) denote the “residual” strategy of V* when messages 

(pi, vi ,p 0 ) are fixed (i.e., V*(G, r) = f V*(G, r; pi, vi, . . . , p a _i, v a _i)), let the 

phrase “S rewinds in Step (4)” represent the event in which the three rewinding con- 
ditions from above hold, and let Ct.a,b be as above (in other words, the probability with 
which the “S rewinds in Step (4)” event holds). We then have: 

Pr [s^*(G,<7) =-L] 

= Pr (G, C) = _L | S rewinds in Step (4)J • Pr |s rewinds in Step (4)J (2) 

= Pr (G, C) = _L | S rewinds in Step (4)J • (j,a,6 

= Pr [p = Pt] • Q,a,b 


(3) 
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Now, since p a and p' ra are uniformly and independently chosen in {0, l} fc , and since the 
number of r G {0, l} fc for which V*(G. r ) is not equal to ABORT is precisely 2 k ■ Ci, a ,6» 
then it holds that Pr[p a = p'J = 1 /(2 fc • Ci,o,b)- Using Eq.0we infer that: 



1 

¥ 


as required. 

Empirical Study. Here we provide some cursory evidence that the type of adversarial 
nesting which causes problems with concurrent simulation do not generally occur when 
verifiers are independently sending their protocol messages without delaying. 

We performed a cursory empirical study of the Webserver traffic at our University 
Webserver. We analyzed roughly 122681 TCP sessions (syn-to-fin flows) served by our 
department Webserver over a period of 16 hours; each session consisted of a SYN from 
a to our Webserver, a SYN from the Webserver to a, a FIN from a to the Webserver, and 
a final FIN from the Webserver to a such that the entire flow corresponded to a request 
and an error message response served by the Webserver. We considered error messages 
because they are not input/output bound and therefore require roughly the same server 
processing time. The (4-flow) message pattern corresponds to a 1-slot preamble for our 
ZK protocol. From this experiment, we counted 26579 nested sessions. In other words, 
roughly 79% of the sessions were message-free, and would therefore only require 1 
slot in our simplest optimistic protocol. (Of the remaining 21%, we cannot determine 
whether they would have required a second slot given the data set.) Moreover, this 
small data set reflected a high level of concurrency: there were 57161 instances when 
one session overlapped another session. 

Acknowledgements. We thank the anonymous reviewers and Vinod Vaikuntanathan 
for helpful comments concerning our definition of security, and in particular about the 
possibility of our protocols leaking information about the presence of other concurrent 
sessions (as discussed in the beginning of Section 2). 
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A Comparison with Other Approaches 

Consider an alternative Prover strategy that we denote reset-on-nesting: 

For some fixed constant C, send a “reset” message to any protocol sessions 
that have more than C nested sessions that begin and end within a slot. When 
a slot is reset, the verifier starts the protocol from the beginning. 

The security proof for schedules with an upper-bounded number of nestings is straight- 
forward. Moreover, only one slot is needed in this “reset-on-nesting” strategy for the 
security proof. Unfortunately, the reset-on-nesting idea has two major problems. First 
is an issue of completeness: it is possible for an honest Prover, and an honest but very 
slow Verifier to repeatedly fail in successfully completing a protocol. 

Definition 3 (Completeness). A concurrent protocol II = (Pi, . . . , P n ) is complete, 
when for any schedule of concurrently executing sessions, and for every execution be- 
tween honest parties Pi, ... , P n , every Pi eventually halts and outputs (1, z) {to in- 
dicate success). 

A second more troubling problem is one of intentional starvation: a malicious Prover 
may indefinitely postpone a proof by claiming the session has become too nested. An 
honest verifier has no way to audit the schedule of messages received by the Prover, and 
thus no recourse but to restart the protocol (which may fail again for the same reason). 
Even with auditing, the malicious prover may create a fictitious verifier instance and 
intentionally schedule this verifier so as to create nested sessions in the the honest veri- 
fier’s slots. Thus, even an “honestly recorded” transcript of all of the Prover’s messages 
could be justifiably used to starve the honest verifier. 

Accountable Aborting versus fail. To be sure, a malicious prover may abort a pro- 
tocol for many reasons; but this event is fundamentally different than the postponement 
attack discussed above: An abort is an admission of guilt by the malicious prover; a 
postponement attack is an accusation by the Prover of malice on the part of the Verifier! 

Borrowing terminology from the distributed algorithms community, we state the con- 
cept of starvation-free protocols below. As mentioned, the solution in this paper is a 
starvation-free protocol, while the reset-on-nesting protocol is not. 

Definition 4 (Starvation-Free Protocol). A starvation-free concurrent protocol II = 
(Pi , ... ,P n ) is one that guarantees that for any adversary P*, and for any schedule of 
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messages of concurrently executing sessions, every honest party Pj,j f i interacting 
with P* eventually halts with output (1, z) or aborts with output (0, z). 

(Note, that the z is arbitrary protocol-specific output, i.e., it could be /( x, y ) in the 
case of two-party secure function evaluation.) 

A reset-on-nesting protocol cannot be both complete and starvation-free. Either the 
protocol requires the Verifier to tolerate an infinite number of resets (in order to satisfy 
completeness) — in which case it is not starvation free — or it requires the Verifier to 
upper-bound the number of messages it tolerates before abort and output 0 (in order 
to satisfy starvation free-ness) — in which case it is not complete. 

For this reason, we prefer our optimistic model to the reset-on-nesting protocol. 

A.l Comparison with the Timing Model 

The timing model adds a notion of time on the standard communication model by (a) 
giving each party a local clock, (b) having all parties share a global bound p > 1 on 
the relative rates of the different clocks (i.e., clock drift), and (c) having all parties 
share a global bound A on the message-delivery time (which includes the time for 
local computation to receive and prepare messages). Protocols in the timing model can 
timeout messages that have not arrived in time A, and delay outgoing messages by 
a delay period that is also at least as big as A. 

Prior work IIDNS98I Ktol()21 IF' I V 1 011 in this model employ the TIMEOUT and DE- 
LAY operations. Protocols in this model have two disadvantages: first, every protocol 
execution is forced to run for worst-case time c • A even if the parties involved can com- 
municate quickly. Transmission delays to some parts of the internet can be measured 
in fractions of a day, and so for completeness, A would have to be reasonably large. 
Whereas our protocol allows fast participants to complete interactions “as fast as the 
network allows,” the timing protocols of IIDNS98I I(jo 102II require all sessions to run 
in time related to worst-case network delays. Conceptually, our protocol handles more 
diverse schedules, whereas the timing model protocols use timing to ensure “roughly 
parallel” composition. 

The work of IIPTV10I reduces the required delay so some small constant c < 1. 
This protocol is major practical improvement to the timing model; however, it too must 
delay the verifier by some multiplicative penalty of the time it takes for the verifier to 
respond, and it requires 3 slots. For example, every session must run at least twice as 
slow (their penalty function is a parameter and can be cu(l) in some cases also) “as 
the network allows” and each verifier must still complete multiple slots (whereas in 
optimistic cases, only 1 slot is required). 

New problems of Accountability. Unfortunately, any setting of A introduces the sec- 
ond more subtle problem with timeout: much like intentional starvation discussed 
above, a malicious Prover can send a timeout to a Verifier to avoid having to abort a 
session that it cannot complete. The verifier has no way to “contest” this timeout. As 
we will argue, such a use of timeouts introduces a new way for a malicious prover to 
cheat that is not possible in the standard model. 

The basis for this problem is that clocks in the timing model must be local and unau- 
thenticatable to allow the simulator to rewinding the verifier (or prover in the case of a 
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proof of knowledge). If a local clock can be authenticated, then a malicious verifier V* 
algorithm could refuse to answer any message that is too old according to its clock and 
this would eliminate the possibility of rewinding. As a result, local clock timestamps 
that appear in transcripts or communication tapes can be forged by any party; it is not 
possible for a third party to verify such a timestamp. 

This leads to the problem that transcripts that arise from the following two cases are 
indistinguishable which removes any accountability for aborting : 

1 . A malicious Prover algorithm receives a message from an honest Verifier, waits for 
time A + e, and then sends timeout. 

2. A malicious Verifier algorithm delays sending a message for time A + e, and then 
sends its message. The honest Prover, consequently sends a timeout messsage. 

Let us compare this situation to the standard model in which — say — messages can be 
authenticated. (Notice that messages can be authenticated and still allow rewinding.) 
Of course, a malicious prover can always abort a protocol by either sending an incor- 
rect message or refusing to send any message. Both cases, however, are fundamentally 
different then the ability for a malicious prover to send a timeout. 

When the Prover sends a bogus message, the verifier has proof (via the authenticated 
message) that the Prover cannot supply a proof of the statement, and the prover is 
therefore accountable for the abort. In fact, the second case is the same. As described 
by Canetti KlanOfil . “not sending a message” in the standard model is handled by an 
explicit halt which is proof that the Prover has failed. 

Protocol participants are modeled as strict polynomial-time interactive Turing 
machines; one machine sends a message to another by writing on the recip- 
ient’s “communication tape.” Message delivery is not guaranteed. However, 
when one machine executes a halt operation, the other party in a protocol 
execution is informed of the HALT via this communication tape. This modeling 
guarantees that one party is not inadvertently left waiting for a message that 
will never arrived It is important to note that the standard model does not have 
any notion of “time” except for steps of computation. 

Thus, the standard model makes it possible to determine which of the two parties 
cheated in an interaction. In contrast, the timing model with TIMEOUTS allows a ma- 
licious Prover to be unaccountable for its cheating. While we acknowledge that such a 
difference may be purely theoretical, it is nonetheless conceptually troubling. 

Comparison with Responsive Round Complexity. Cohen, Kilian and Petrank pro- 
pose the notion of responsive round complexity HCKPOli . A protocol is said to have 
responsive round complexity m with party A if it can guarantee that if A responds to 
every message of the protocol in at most time t, then the overall communication de- 
lay of the protocol execution ism -t. The idea behind the protocol in that paper is the 
following: 

3 In particular, this mechanism is how a malicious party that does not send a message is 
modeled — since the party must be strict polynomial-time, if it refuses to send a message, we 
assume it runs a computation, eventually HALTS and then the recipient learns that the other 
party has aborted. 
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Every verifier is assigned a time bin T. If a verifier V delays a message by time 
t <T, then the prover delays the response to V by time 2 T. If a verifier delays 
a message by time t > T, then the verifier is moved into time bin 2 T, and the 
verifier must restart the protocol from the beginning. 

Slow verifiers are penalized. In particular, this Prover strategy clumps verifiers into 
“time buckets” such that all verifiers in the same bucket act in a roughly parallel manner. 
The analysis then used in the timing model work can be applied. 

Overall, the goal of this notion is to assure that a party that always responds quickly 
has a stronger guarantee on the communication time of the overall protocol. Similarly, 
our work also attempts to improve the communication time for Verifiers that respond 
quickly. However, the protocols in still have at least w(logn) slots in the 

best case when the verifiers respond quickly. (In other words, their protocol guarantees 
response round complexity of 0(log n) whereas our protocol can use only 1 slot when 
the Verifier responds quickly.) 

Buffering Sessions. Another idea is for the Prover to buffer sessions so that each one 
starts only after the previous session finishes. Buffering sessions, i.e. serializing them, 
eliminates the benefits of having multiple sessions run safely at the same time. 

Denial of Service. A malicious verifier can “force” the protocol to require just as many 
rounds as the current best fixed-round cZK, protocol. This is not a denial-of-service 
attack because the malicious verifier can only force the same round complexity that 
the best current protocols achieve — thus, the optimistic approach is never worse than 
PRS. Moreover, in every additional round forced by a bad schedule, V* is required to 
communicate and compute more than the Prover. 

Handling Server Farms. Our optimistic approach requires the Prover to know the 
global schedule of Verifier messages. Very large systems, however, are usually built on 
clusters of servers instead of a single machine. Our optimistic approach can be made to 
work on clusters using a consensus protocol to share schedules among the servers. Since 
all servers belong to the same entity and are connected through internal fast links, the 
consensus protocol would work “in the best case” (as opposed to the Byzantine case) for 
most sessions. In other words, our protocol is viable even after counting the overhead 
to make all prover machines agree on a schedule of verifier requests. To be sure, many 
very large systems in existence today require even more complicated consensus on the 
order of requests that they serve. For example, consider distributed database systems 
(sometimes distributed over tens of thousands of machines), social network sites, and 
some distributed file systems that are implemented across thousands of machines. 
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Abstract. We describe two improvements to Gentry’s fully homomor- 
phic scheme based on ideal lattices and its analysis: we provide a more 
aggressive analysis of one of the hardness assumptions (the one related 
to the Sparse Subset Sum Problem) and we introduce a probabilistic de- 
cryption algorithm that can be implemented with an algebraic circuit of 
low multiplicative degree. Combined together, these improvements lead 
to a faster fully homomorphic scheme, with a 0(A 3 ' 5 ) bit complexity 
per elementary binary add/mult gate, where A is the security parame- 
ter. These improvements also apply to the fully homomorphic schemes of 
Smart and Vercauteren [PKC’2010] and van Dijk et al. [Eurocrypt’2010]. 

Keywords: fully homomorphic encryption, ideal lattices, SSSP. 

1 Introduction 

A homomorphic encryption scheme allows any party to publicly transform a col- 
lection of ciphertexts for some plaintexts 7Ti , . . . , 7r n into a ciphertext for some 
function/circuit /(7Ti, . . . ,7r n ) of the plaintexts, without the party knowing the 
plaintexts themselves. Such schemes are well known to be useful for construct- 
ing privacy-preserving protocols, for example as required in ‘cloud computing’ 
applications: a user can store encrypted data on a server, and allow the server to 
process the encrypted data without revealing the data to the server. For over 30 
years, all known homomorphic encryption schemes supported only a limited set 
of functions /, which restricted their applicability. The theoretical problem of 
constructing a fully homomorphic encryption scheme supporting arbitrary func- 
tions /, was only recently solved by the breakthrough work of Gentry |9! . More 
recently, two further fully homomorphic schemes were presented [27iT>| . follow- 
ing Gentry’s framework. The underlying tool behind all these schemes is the use 
of Euclidean lattices, which have previously proved powerful for devising many 
cryptographic primitives (see, e.g., for a recent survey). 

A central aspect of Gentry’s fully homomorphic scheme (and the subsequent 
schemes) is the ciphertext refreshing Re crypt operation. The ciphertexts in 

M. Abe (Ed.): ASIACRYPT 2010, LNCS 6477, pp. 377 | 3H4,| 2010. 
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Gentry’s scheme contain a random ‘noise’ component that grows in size as the ci- 
phertext is processed to homomorphically evaluate a function / on its plaintext. 
Once the noise size in the ciphertext exceeds a certain threshold, the ciphertext 
can no longer be decrypted correctly. This limits the number of homomorphic 
operations that can be performed. To get around this limitation, the Re crypt 
operation allows to ‘refresh’ a ciphertext, i.e., given a ciphertext ip for some 
plaintext n, to compute a new ciphertext ip' for it (possibly for a different key), 
but such that the size of the noise in ip' is smaller than the size of the noise in ip. 
By periodically refreshing the ciphertext (e.g., after computing each gate in /), 
one can then evaluate arbitrarily large circuits /. 

The Re crypt operation is implemented by evaluating the decryption circuit of 
the encryption scheme homomorphically, given ‘fresh’ (low noise) ciphertexts for 
the bits of the ciphertext to be refreshed and the scheme’s secret key. This homo- 
morphic computation of the decryption circuit must of course be possible without 
any ciphertext refreshing, a condition referred to as bootstrappability. Thus, the 
complexity (in particular circuit depth, or multiplicative degree) of the scheme’s 
decryption circuit is of fundamental importance to the feasibility and complexity 
of the fully homomorphic scheme. Unfortunately, the relatively high complexity 
of the decryption circuit in the schemes [912615) , together with the tension be- 
tween the bootstrappability condition and the security of the underlying hard 
problems, implies the need for large parameters and leads to resulting encryption 
schemes of high bit-complexity. 

Our Contributions. We present improvements to Gentry’s fully homomorphic 
scheme [OJ and its analysis, that reduce its complexity. Overall, letting A be the 
security parameter (i.e., all known attacks against the scheme take time > 2 A ), we 
obtain a 0(A 1 * 3 * ’ 5 ) bit complexity for refreshing a ciphertext corresponding to a 1-bit 
plaintext. This is the cost per gate of the fully homomorphic scheme. To compare 
with, Gentry 0 Ch. 12] claims a 0(A 6 ) bound, although the proof is incomplete 
The improved complexity stems from two sources. First, we give a more ag- 
gressive security analysis of the Sparse Subset Sum Problem (SSSP) against 
lattice attacks, compared to the analysis given in j2j. The SSSP, along with 
the Ideal lattice Bounded Distance Decoding (BDD) problem, are the two hard 
problems underlying the security of Gentry’s fully homomorphic scheme. In his 
security analysis of BDD, Gentry uses the best known complexity bound for the 
approximate shortest vector problem (SVP) in lattices, but in analyzing SSSP, 
Gentry assumes the availability of an exact SVP oracle. Our new finer analy- 
sis of SSSP takes into account the complexity of approximate SVP, making it 
more consistent with the assumption underlying the analysis of the BDD prob- 
lem, and leads to smaller parameter choices. Second, we relax the definition of 
fully homomorphic encryption to allow for a negligible but non-zero probability 

1 This bound is claimed to hold for the scheme after Optimizations 1 and 2 of |B1 

Se. 12.3], but the analysis does not include the cost of the ciphertext expansion nor 

details which decryption circuit is applied homomorphically. For instance, the decryp- 

tion circuit from [3 Le. 6.3] is too costly to derive the bound. These gaps can be filled 

using Section IFT2I of the present article, and the bound 0(A 6 ) indeed holds. 
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of decryption error. We then show that, thanks to the randomness underlying 
Gentry’s ‘SplitKey’ key generation for his squashed decryption algorithm (i.e., 
the decryption algorithm of the bootstrappable scheme), if one allows a negligible 
decryption error probability, then the rounding precision used in representing the 
ciphertext components can be roughly halved, compared to the precision in 0 
which guarantees zero error probability. The reduced ciphertext precision allows 
us to decrease the degree of the decryption circuit. We concentrate on Gen- 
try’s scheme jJJ, but our improvements apply equally well to the other related 
schemes f2ti!5j . 


Notation. Vectors will be denoted in bold. If x G M n , then ||sc|| denotes the Eu- 
clidean norm of x. We make use of the Landau notations O(-), O(-), t u(-), !?(•), 
!?(•), <9(-), O(-). If n grows to infinity, we say that a function /(«) is negligible if it 
is asymptotically < n~ c for any c > 0. If X is a random variable, E[X] denotes its 
mean and Pr[X = x] denotes the probability of the event “X = x”. We say that a 
sequence of events E n holds with overwhelming probability if Pr[-iE n ] < f{n) for a 
negligible function /. We will use the following variant of the Hoeffding bound 1131 - 

Lemma 1.1. Let X \, . . . , X t denote independent random variables with mean p, 
where X{ G [a*, bf\ for some a, b G M*. Let X = JA X j. Then: 

Mk > 0 : Pr [|X — tp\ > Af] < 2 • exp(— 2k? /\\b — a|| 2 ). 

Remark. Due to space limitations, some contents of the article are only given in 
the appendices of the full version, which is available on the authors’ webpages. 
These include: a sketch of Gentry’s bootstrapping transformation jH|, adapted 
to handle decryption errors; a proof that an ideal sampled from Gentry’s dis- 
tribution is of prime determinant with overwhelming probability, when the 
considered ring is Z[x]/(x 2 + 1); the proofs of Lemmata 13.21 and 13.31 and the 
application of our improvements to other fully homomorphic encryption schemes. 

2 Reminders 

For a detailed introduction to the computational aspects of lattices, we refer 
to j23J. The article [EH provides an intuitive description of Gentry’s fully homo- 
morphic scheme. 

2.1 Euclidean Lattices 

An n-dimensional lattice L is the set of all integer linear combinations of some 
linearly independent vectors b\. . . . . b n G Z n , i.e., L = 'fT hbi. The b,'s are called 
a basis of L. A basis B = (&i, . . . , b n ) G Z" xra is said to be in Hermite Normal 
Form (HNF) if b-ij = 0 for i > j and 0 < bij < bi ^ otherwise. The HNF of a 
lattice is unique and can be computed in polynomial time given any basis, which 
arguably makes it a worst-case basis [10) . To a basis B = (bi. , b n ) G Z" x ” for 
lattice L, we associate the fundamental parallelepiped V{B) = {v = JA yi ■ bi : 
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•yi £ (—1/2, 1/2]}. For a vector v £ M", we denote by v mod B the unique 
vector v' £ V(B) such that v — v' £ L. Note that v' = v — B[B~ 1 v] , where [_•] 
rounds the coefficients to the nearest integers (upwards in case of a real that is 
equally distant to two consecutive integers). 

The minimum Ai (L) is the norm of any shortest non-zero vector in L. More 
generally, the ith minimum A *(L) is the radius of the smallest ball containing i 
linearly independent lattice vectors. We define the lattice amplitude as the ratio 
A„(T)/Ai(L). We now define two parametrized families of algorithmic problems 
that are central for Euclidean lattices. Let 7 > 1 be a function of the dimension. 
The 7-SVP (for Shortest Vector Problem) computational problem consists in 
finding a vector b £ L such that 0 < ||b|| < 7 Ai(L), given as input an arbi- 
trary basis for L. The 7-BDD (for Bounded Distance Decoding) computational 
problem consists in finding a vector b £ L closest to t given as inputs an ar- 
bitrary basis for L and a target vector t whose distance to L is < 7 -1 Ai(L). 
Solving 7-SVP and 7-BDD are in general computationally hard problems. The 
best algorithms for solving them for 7 = 1 (USED run in time exponential with 
respect to the dimension. On the other hand, the smallest 7 one can achieve in 
polynomial time is exponential, up to poly-logarithmic factors in the exponent 
( [1712411) 1. For intermediate 7, the best strategy is the hierarchical reduction 
of fM\ . and leads to the following conjecture. 

Lattice ‘Rule of Thumb’ Conjecture. There exist absolute constants Ci, C2 > 
1 such that for any A and any dimension n, for any n-dimensional lattice with am- 
plitude < 7/C2, one cannot solve 7-SVP (resp. 7-BDD) in time smaller than 2 A , 
with 7 = c” /A . 

Let us discuss the conjecture. One often considers the lattice gap If > 
7, then 7-SVP is equivalent to 7 , -SVP for any 7' < A): a y'-SVP solver is 
guaranteed to output a multiple of a shortest vector, from which solving SVP 
is easy. Similarly, if ^ = 0(1) but ^ > 7, then lattice reduction will return 
a basis whose first two vectors span a sublattice containing vectors reaching Ai 
and A2: SVP can then be solved by 2-dimensional reduction. This explains why 
we consider ^ rather than the more standard Note that for most common 
lattices, there is no a priori reason to expect A n to be significantly larger than A2. 
Finally, when ^ < 7, the complexity of 7-SVP does not seem to depend on 
The experimental results in [Zj seem to be consistent with this conjecture. 

Algorithmic improvements have been proposed (e.g., ftil 1 ti] h but they have 
only led to better constants, without changing the overall framework. The con- 
jecture seems to hold even if one considers quantum computers PS)- We will 
consider it for two families of lattices: no algorithm is known to perform non- 
negligibly better for them than for general lattices. 

For a lattice L, we define det L as | det B\ for any basis B. Minkowski’s theorem 
provides a fink between the minimum and the determinant. 

Theorem 2.1 (0 III. 2. 2]). Let L be an n-dimensional lattice and V be a com- 
pact convex set that is symmetric about the origin. Let m>lbean integer. Ifv ol( V) 
> m2” det(L), then V contains at least m non-zero pairs of points ±b of L. 
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2.2 Ideal Lattices 

Let f £ Z[x\ a monic degree n irreducible polynomial. Let R denote the polyno- 
mial ring Z[x)/f. Let 7 be an (integral) ideal of R, i.e., a subset of R that is closed 
under addition, and multiplication by arbitrary elements of R. By mapping poly- 
nomials to the vectors of their coefficients, we see that the ideal 7 corresponds 
to a sublattice of Z": we can thus view 7 as both a lattice and an ideal. An ideal 
lattice for / is a sublattice of Z" that corresponds to an ideal I CZ [x\/f. In the 
following, an ideal lattice will implicitly refer to an /-ideal lattice. For v £ R 
we denote by ||u|| its Euclidean norm (as a vector). We define a multiplicative 
expansion factor y x (R) for the ring R by y x (R) = max U) ,, 6fl pfrpi[- A typical 
choice is / = x n + 1 with n a power of 2, for which 7 X ( R ) — sfn (see 0 Th. 9]). 

Two ideals I and J of R are said coprime if I + J = R, where 7+ J = {i + j : 
i £ I,j £ J}. An ideal I is said prime of degree 1 if det (7) is prime. For an 
ideal J of R, we define J -1 = {u £ Q[x]/ f : Vu £ J,u x v £ R}. This is a 
fractional ideal of R, and J -1 C de ( j R (since (det J) • R C J). If / = x n + 1 
with n a power of 2, then R is the ring of integers of the (2n)th cyclotomic 
field and J -1 x J = R for any integral ideal J (the product of two ideals 7i 
and I 2 being the ideal generated by all products i\ ■ i -2 with i\ £ 7i and i -2 £ If)- 
An ideal 7 is said principal if it is generated by a single element r £ 7, and 
then we write 7 = (r). We define rot/(r) £ Q nxn as the basis of 7 consisting of 
the x k r(x) mod /’ s, for k £ [0, n — 1]. 

If 7 is an ideal lattice for / = x n + 1, then we have Ai(7) > det(7) 1 / n : 
an easy way to prove it is to notice that the rotations x k v of any shortest 
non-zero vector v form a basis of a full-rank sublattice of 7, and to use the 
inequalities Ai(7)” = ||a; fe v|| > det((w)) > det 7. 


2.3 Homomorphic Encryption 

In this section, we review definitions related to homomorphic encryption. Our 
definitions are based on |9f8j . but we slightly relax the definition of decryption 
correctness, to allow a negligible probability of error. This is crucial for our 
probabilistic improvement to Gentry’s Re crypt algorithm. 

Definition 2.1. A homomorphic encryption scheme Horn consists of four 
algorithms: 

• Key Gen; Given security parameter X, returns a secret key sk and a public 
key pk. 

• Enc: Given plaintext ir £ {0, 1} and public key pk, returns ciphertext if. 

• Dec; Given ciphertext if and secret key sk, returns plaintext 1 r. 

• Eval; Given public key pk, a t-input circuit C (consisting of addition and 
multiplication gates modulo 2), and a tuple of ciphertexts (ifi, . . . ,ift) (cor- 
responding to the t input bits of C ), returns a ciphertext if ( corresponding 
to the output bit of C). 
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Horn is said correct for a family C of circuits with < t = Voly(X) input bits 
if for any C £ C and input bits (ni)i<t, the following holds with overwhelming 
probability over the randomness of KeyGen and Enc: 

Dec (sk, Eval (pk,C, (^ 1 , ■ . . ■ ■ ■ ,7 r*), 

where ( sk,pk ) = KeyGen (A) and ^ = Enc (pk, 7Tj) for i= 1, ... ,t. 

Horn is said compact if for any circuit C with <t = Voly(X) input bits, the 
bit-size of the ciphertext Eval(pfe, C , (ipi, • ■ • , ipt)) bounded by a fixed polyno- 
mial 6(A). 

Gentry defined the powerful notion of a bootstrappable homomorphic en- 
cryption scheme: one that can homomorphically evaluate a decryption of two 
ciphertexts followed by one gate applied to the decrypted values. We also relax 
this notion to allow decryption errors. 

Definition 2.2. Let Horn = (KeyGen, Enc, Dec, Eval) denote a homomorphic en- 
cryption scheme. We define two circuits: 

• Dec-Add: Takes as inputs a secret key sk and two ciphertexts V’ljtfe, a,nd 
computes Dec(sk,i/)i) + Dec(sk,ip 2 ) mod 2. 

• Dec-Mult: Takes as inputs a secret key sk and two ciphertexts and 

computes Dec(sk,i/)i) x Dec(sk,ip 2 ) mod 2. 

Horn is said bootstrappable if it is correct for Dec -Add and Dec-Mult. 

Gentry discovered that a bootstrappable homomorphic encryption can be used 
to homomorphically evaluate arbitrary circuits. More precisely, he proved the 
following result (adapted to allow for decryption error). The construction is 
sketched in the full version. 

Theorem 2.2 (J2i Se. 2]). Given a bootstrappable homomorphic encryption 
scheme Horn, and parameter d = Voly(X), it is possible to construct another 
homomorphic encryption scheme Hom 1 -'^ that is compact and correct for all cir- 
cuits of size Voly(X). Furthermore, if the scheme Horn is semantically secure, 
then so is the scheme Hom^. 


3 Summary of Gentry’s Fully Homomorphic Scheme 

We now review Gentry’s fully homomorphic encryption scheme 081 . 

3.1 The Somewhat Homomorphic Scheme 

We first recall Gentry’s somewhat homomorphic encryption scheme (see 0 
Se. 5.2 and Ch. 7]) which supports a limited number of multiplications. It is the 
basis for the bootstrappable scheme presented in Subsection 13.31 The scheme, 
described in Figure [fl produces ciphertexts in the ring R = Z[x]/f for a suitable 


Faster Fully Homomorphic Encryption 383 


irreducible degree n monic polynomial /. In this paper, we will assume / = x n +l 
with n a power of 2. Here n is a function of the security parameter A. 

The key generation procedure generates two coprime ideals / and J of R. The 
ideal I has basis Bj. To simplify the scheme (and optimize its efficiency), a con- 
venient choice, which we assume in this paper, is to take I = (2): Reduction of v 
modulo I corresponds to reducing the coefficients of the vector/polynomial v 
modulo 2. The ideal J is generated by an algorithm IdealGen, that given (A, n), 
generates a ‘good’ secret basis B ak (consisting of short, nearly orthogonal vec- 
tors) and computes its HNF to obtain a ‘bad’ public basis B pk . Suggestions for 
concrete implementations of IdealGen are given in 0 Se. 7.6], |TTJ and j20|- To 
obtain the 0(A 3 ' 5 ) bit complexity bound, we will assume that J is a degree 1 
prime ideal, which is the case with the implementation of [2ti] and is also the case 
with probability exponentially close to 1 for the distribution considered in GH 
(see full version). Associated with IdealGen is a parameter ro ec , which is a lower 
bound on the radius of the largest origin-centered ball which is contained in- 
side V(B s j k ). In all cases we have roec > Ai (J)/Voly(n) (see, e.g., (HI Le. 7.6.2]). 
Using Babai’s rounding-off algorithm |T] with B sk , the decryptor can recover 
the point of J closest to any target vector within distance roec of J (see 0 
Le. 7.6.1]). 

• KeyGen(A): Run ldealGen(A,n) to generate secret/public bases (Bj k . B pk ) for 
ideal J such that P(Bj k ) contains an origin-centered ball of radius m e c ~ Ai (J). 
Return public key pk = B pk and secret key sk = B sk . 

• Enc(pfe, 7r): Given plaintext it 6 {0,1} and public key pk, run Samp(/,7r) to get 
tt' € it + I with ||7r'|| < 7\e„ c . Return ciphertext ip = tt ' mod B pk . 

• De c(sk,ip): Given ciphertext ip and secret key sk, returns i r = (ip mod Bj k ) mod I. 

• Eval(pfc, C, (ipi , . . . , ipt )) : Given public key pk, circuit C and ciphertexts ipi , . . . , ipt, 
for each add or multiply gate in C, perform a + or x operation in R mod B pk , 
respectively, on the corresponding ciphertexts. Return the ciphertext ip correspond- 
ing to the output of C. 

Fig. 1. Gentry’s Somewhat Homomorphic Encryption Scheme SomHom 

The plaintext space is a subset of V(I), that we assume to be {0,1}. The 
encryption algorithm uses a sampling algorithm Samp, which given (£?/, x) for 
a vector x £ R, samples a ‘short’ vector in the coset x + I. Concrete imple- 
mentations of Samp are given in jSl Se. 7.5 and 14.1]. Associated with Samp 
is a parameter rEnc , which is a (possibly probabilistic) bound on the norms of 
vectors output by Samp. For both implementations, one can set rEnc = Voly(n). 
To encrypt a message 7r, a sample n + i from the coset n+I is generated, and the 
result is reduced modulo the public basis B pk : ip = w + i mod B pk . It is assumed 
that rEnc < i~Dec ■ Therefore, by reducing ip modulo the secret basis B sk one can 
recover 7 r + i, and then plaintext 7r can be recovered by reducing modulo Bj. 

Homomorphic addition and multiplication of the encrypted plaintexts 7Ti , 7T2 
modulo Bi are supported by performing addition and multiplication respec- 
tively in the ring R on the corresponding ciphertexts modulo B pk . Namely, 
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for ipi = m + ii mod B pk , ip 2 = T 2 + *2 mod B pk with i \,%2 € I, we have 
-01 + mod B pk e (7Ti + 772) + 1 and ip\ X ip 2 mod e (7ri x Tfa) + 1 mod B pk . 
However, for ensuring correct decryption of these new ciphertexts, we need that 
|| (tt 1 + if) + (-7T2 + £ 2 ) ||> II (tti + if) X (7T2 + * 2 ) || < VDec- This limits the degree 
of polynomials that can be evaluated homomorphically. Note that our choice 
for J implies that a ciphertext reduced modulo B pk is simply an integer mod- 
ulo det(J) and thus homomorphic evaluations modulo B pk reduce to integer 
arithmetic modulo det(J) (such as in |2S|). 


3.2 A Tweaked Somewhat Homomorphic Scheme 

Gentry 0 Ch. 8] introduced tweaks to SomHom to simplify the decryption algo- 
rithm towards constructing a fully homomorphic scheme. The tweaked scheme 
SomHom' differs from the original scheme in the key generation and decryption 
algorithm, as detailed in Figure El 


• KeyGen'(A): Run KeyGen(A) to obtain (B sk ,B pk ). From B sk , compute a vector 

v s j k £ J -1 such that 'P(rotf(vj k )~ 1 ) contains a ball of radius r' Dec = 5 

(see |S1 Le. 8.3.1]). Return public key pk = B pk and secret key sk = B sk . 

• Dec'(sfc, ip): Given ciphertext ip and secret key sk, return n = ip— [y 3 /' x ip] mod I. 

Fig. 2. Algorithms of the Tweaked Somewhat Homomorphic Encryption Scheme 
SomHom' that differ from those of SomHom 

Gentry showed the following on the correctness of Dec'. 

Lemma 3.1 (Adapted from 0 Le. 8.3.1 and 8.4.2]). A ciphertext ip = 
n + i mod B pk with ||7r + i|| < r' Dec is correctly decrypted to n by Dec'. Moreover, 
if 1 1 7r + i|| < r' Dec , then each coefficient of v sk x ip is within 1/8 of an integer. 

Let C be a mod 2 circuit consisting of add and multiply gates with two inputs and 
one output. We let g{C) denote the generalized circuit obtained from C by replac- 
ing the add and multiply gates mod 2 by the + and x operations of the ring R, 
respectively. We say that circuit C is permitted, if for any set of inputs X\ ..... Xt 
to g(C) with || a?/- 1| < r^„ c for k = 1, . . . , t, we have \\g(C)(xi , . . . , as t ) || < r' Dec . 
A permitted circuit which is evaluated homomorphically on encryptions of plain- 
texts TTi, . . . , 7R will yield a ciphertext ip = g(C) (7Tj -j- ii ..... nt + it) mod B pk 
that correctly decrypts to C(ni, . . . , 7p), and such that the coefficients of v sk x ip 
are within 1/8 of an integer. As in |3 Le 3.4], we characterize the permitted cir- 
cuits by the maximal degree of the polynomial evaluated by the circuit. Note 
that Gentry considers the circuit depth, which is less flexible. 

Lemma 3.2. Let C be a mod 2 circuit, and g(C) denote the corresponding gen- 
eralized circuit over R, evaluating h £ Z[a:-| , ... ,x f ] of (total) degree d. The 
circuit C is permitted if 7x -1 ||^l|i r £inc — r Dec ■ ^ n Particular, assuming that h 
has coefficients in { 0,1}, the circuit C is permitted if d satisfies 
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d< lu& ' 'am 

log(r Enc • 7x • (t+ 1)) 

Remark. The polynomial h referred to above is the one evaluated by the gener- 
alized circuit g(C). For arbitrary circuits C mod 2, the polynomial h may differ 
from the polynomial h! evaluated by the circuit C mod 2; in particular, the poly- 
nomial h may have non-binary integer coefficients, and some may be multiples 
of 2. However, for circuits C for which h has binary coefficients (the condition 
in the lemma), we have h = h! (this condition on h is also needed, but is not 
explicitly stated in 0). 

3.3 Gentry’s Squashed Bootstrappable Scheme 

To make it bootstrappable, Gentry 0 Ch. 10] modified SomHom' by ‘squashing’ 
the decryption circuit. He moved some of the decryption computation to the 
encryption stage, by providing additional information in the public key. This 
results in the bootstrappable scheme SqHom described in Figure 0 The scheme 
introduces three new integer parameters (p. " ) S etilsub )• Note that we incorporated 
Optimization 2 from 0 Ch. 12], which is made possible thanks to the choice 

I = ( 2). 

— KeyGen"(A): 

• Run KeyGen' to get B‘j k and vf. 

• Generate a uniform 7 se t-bit vector s = (si, ... , .s 7ae , ) with Hamming 
weight 'ysub and s lBBt = 1. 

• Generate ti, , t 7set -i uniformly and independently from J -1 mod B] . Com- 
pute t lBet = vf - Efc< 7set S ktk- 

• Return sk = s and pk = (Bj k -,ti , . . . , t 7aet ). 

— Enc" (pfc, tt): Run Enc of SomHom' to generate ciphertext il>. For k = 1, . . . ,y se t, 
compute Ck on p + 1 bits (1 bit before the binary point, and p bits after) such 
that | c/b — [tk x V’lo mod 2| < 2~ p , where [p]o denotes the constant coefficient of 
the polynomial g €. R. Return ciphertext (-0; a, . . . , c 7aet ). 

— Dec"(sAi, {ip] ci , . . . , Oyaet)): Given expanded ciphertext (0 ; c\. ... . c 7set ) and secret 
key sk, return it = [ip]o — |_5D fc s fc c fcl mod 2. 

— Eval": Same as for SomHom' (while recomputing the c/t’s, like in algorithm Enc"). 

Fig. 3. Algorithms of the Squashed Scheme SqHom 


Note that s k c k ~ J2k s k[ t k x 0]o = ([(Efe ^**0 x V’lo) = [vf x V’lo, mod- 
ulo 2. Hence, in terms of decryption correctness, SqHom differs from SomHom' 
only due to the rounding errors. The following lemma provides a sufficient pre- 
cision p (see also jSJ Le. 6.1]). In Sectional we will show that p can be almost 
halved, using a probabilistic error analysis. 

Lemma 3.3. If p > 3 + log 2 "Ysub , a ciphertext (ip: ci, ... , c 7aet ) of SqHom with 
ip = it + i mod B P j" and |tt + i|| < r' Dec is correctly decrypted by the decryption 
algorithm Dec", and J2k Sk ° k ' IS within 1/4 of an integer. 
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For bootstrappability, we need to be able to implement the augmented decryp- 
tion circuits Dec-Add and Dec-Mult with circuit degrees smaller than the degree 
capacity of the scheme. This is summarized in the following, in terms of the 
size 7, s u 5 of the hidden subset in the secret key. 

Theorem 3.1 (Adapted from 0 Th. 6.2]). Assuming that SkCk is 
within 1/4 of an integer, the augmented decryption circuits Dec- Add and Dec- 
Mult for scheme SqHom with precision parameter p can he evaluated by circuits 
of degrees < 7 s „b • 2 9 p 1,71 . 

Proof. To decrypt if, we have to compute n = [ip] 0 — s fc c fcl mod 2. We 
proceed as follows: 

1- Compute Ofe = Sfe • Cfe for A: = 1, . . . , 7 se t- 

2- Let be the bit representation of a*,. To sum the a^’s: 

2.1- For j = 0, . . . ,p, compute Wj, the Hamming weight of the bit vector 

2.2- Compute ir = [ip\o — Ylj< p Wj • 2 j mod 2. 

Note that because only 7 SU & of the a^’s are non-zero, each Hamming weight Wj 
is at most 7 su b and hence its binary representation has at most [log 2 (7 S ub + 1)1 
bits. Step 1 requires a single multiplication mod 2 for each output bit, hence has 
degree 2. For Step 2.1, we use the following. 

Lemma 3.4 (Adapted from [51 Le. 6.3]). Let (oq, . . . , af) he a binary vector, 
and W = W n . . . Wo be the binary representation of its Hamming weight. Then 
for any k, the bit Wk can be expressed as a the evaluation in the crj ’s of an 
integer polynomial of degree exactly 2 k . 

We conclude that Step 2.1 can be computed by a circuit of degree 2r io& 4'>' su!> + :| T < 
27 su 6- Using the ‘3-for-2’ trick ] 1 5| . van Dijk et al. (5J show that Step 2.2 can be 
done with a circuit of degree < 2 r io s.3/2 (P+ 1 )! + 4 < 2 6 p 1 - 71 . The total degree of the 
decryption circuit is thus < 7 su b ■ 2 8 p 1 - 71 , and hence that of Dec- Add (resp. Dec- 
Mult) is < 7 su b ■ 2 9 p l n . □ 

Combining Theorem 13.11 with Lemmata 13.21 and 13.31 we get: 


Corollary 3.1. The scheme SqHom is bootstrappable as long as 


7 s „6-2 9 log 1 - n (7 su6 + 4) 


togTpec 

log(r\E„ c • 7x • (t + 1)) 


4 A Less Pessimistic Hardness Analysis of the SSSP 

The semantic security of Gentry’s schemes SomHom and SomHom' relies on the 
hardness of a bounded distance decoding problem. As explained in Section |2I 
this hardness assumption is asymptotically well understood (with the lattice 
reduction ‘rule of thumb’ conjecture). When converted into the bootstrappable 
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scheme SqHom, another hardness assumption is added, namely that of the 
so-called SplitKey distinguishing problem. To be precise, a semantic attack 
against SqHom either leads to an efficient ideal lattice BDD algorithm or to an 
efficient algorithm for the SplitKey distinguishing problem (see [2J Th. 10]). 
In 0 Th. 11.1.3], the following Sparse Vector Subset Sum Problem (SVSSP) is 
shown to reduce to the SplitKey distinguishing problem. 

Definition 4.1 (SVSSP 7stti)i7set ). Let j su b and 7 se t be functions of the hard- 
ness parameter A. Let J he as generated by Key Gen, and Bu be the HNF of 
ideal IJ. The decisional SVSSP is as follows: Distinguish between (ai, . . . , a 7set ) 
chosen uniformly in RC\V ( Bu ) and the same but conditioned on the existence 
of a vector s £ {0, l} 7set of Hamming weight 7 su b with Y2k s kO'k = 0 mod IJ. 

For our choice I = (2), we have Bu = 2 Bj k , where B pk is the HNF of J. In the 
following, we use q = det(B[ j) = 2"det (J). A simple birthday paradox attack 
runs in time « ( 7 < " ?, fl ) h° achieve 2 X hardness, we require that 7 su b = 12(A) 
and 7set > 27 su b- We now analyze another attack, based on lattice reduction. 
Consider the lattice 

L = < x £ Z 7set : ^ Xk ■ ak = 0 mod IJ 

[ k< 7set 

Since gZ 7set C L, we have dimL = 7 set . Furthermore, we have det L = 
|Z 7set /L| = \(j}(U eet )\ < det(.B/j) = q, where (f : U aet — > IP/IJ is the map 
x 1— » Y2k x k a k mod IJ. Also, the existence of the solution vector s implies 
that 1 < Ai(L) < y/jsub- 

Suppose we are limited to a computational power of 2\ The lattice reduction 
‘rule of thumb’ conjecture suggests that we cannot find vectors in L of norms < 
U := c-l * , assuming that < U / 02 . Apart from the unusual smallness 

of the lattice minimum, there is no reason to expect the remaining Aj(T)’s to 
vary significantly: the lattice gap and the lattice amplitude A ^ 3 1 e (L^ should 
be similar. Now, there are < m := U sub pairs of non-zero multiples ±fc • s 
with norm < U ■ Ai(L) < U At the same time, Minkowski’s theorem 
('Theorem 12 . HI asserts that there are far more lattice vectors of norm < LJ jc^- 

'Iset 

Lemma 4.1. Assuming that r p. se 2 t +a^ • (f7/c2) 7aet > (2 A m) • 2 7aet • q, we have 
\LnB(0,U/c 2 )\ >2 A m. 

Note that if the condition in Lemma El holds, then for any A > 1, the ball of 
radius UAi(L) > U/c 2 contains more than m pairs of non-zero points of L, so 
the lattice gap must be < U/c 2 . 

It seems reasonable to assume that the lattice points that are not multiples of s 
do not provide information towards solving SVSSP. Also, we heuristically expect 
lattice reduction to return one of these relevant vectors with probability « 2~ x 
if they constitute a fraction 2~ x of the total number of lattice vectors of norm 
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< U. Under these assumptions, if the computational effort of lattice reduction is 
limited to 2 A and if we wish to bound the likelihood of finding a relevant vector 
by 2“ A , it seems sufficient to set the parameters so that: 

c % > 2 \ . 7 ^( 7 set) . q 

As 'jset = 13(A), the above is implied by Ayi = l?(log q). Note that this 
condition is less restrictive than the corresponding one used in |9I26I5| (i.e., 
7 set = 0(logq)). 

Remark. In algorithm KeyGen", the SVSSP instances satisfy s 7aet = 1. This 
does not result in any security reduction, as an attacker can guess an i such 
that Si = 1 and then permute indices i and 7 se j. 

Remark. Our analysis differs in two ways from the one from |0| relying on m ■ 
for consistency with the hardness analysis of the ideal BDD, we consider an 
approximate SVP solver rather than an exact SVP solver; secondly, we do not 
consider the ‘replay’ attack from |23j (which would lead to larger involved con- 
stants), as contrarily to the case of server-aided RSA, only one instance of the 
SSSP is given. 

5 Improved Ciphertext Refreshing Algorithm 

As explained in the proof of Theorem 13. II the main component in the degree 
of the decryption algorithm comes from the addition of the rationals = 
[sfctfe x ip ] 0 mod 2. This accounts for degree 7 SU 6, and all other components of 
degree are negligible compared to this one. 

Recall that fy, . . . ,i 7set -i, and hence also [fy X i/>]omod 2,...,[f Vl _i x 
ip ] 0 mod 2’s are chosen independently with identical distribution (iid) , and 
that t- Uet = v s f — Ylk< j aet mo< l 2. We are to exploit the iid-ness of the 

first ti s to obtain a sufficient precision p that is essentially half of that of Sec- 
tion 13.31 This will have the effect of taking the square root of the decryption 
circuit degree. 

5.1 Using Less Precision 

We first sum the Sfc[fy x ip] o’s for k < 7 se t> since they are iid, and then we add 
the remaining c 7set . The first sum will be represented on 6 bits (1 bit before the 
point and 5 bits after) and we will ensure that it is within 1/16 of X^fc< 7set s k[tk x 
ip] 0 mod 2, with high probability. We take c 7set within distance 1/16 of [t 7set -i x 
ip] 0 mod 2 and represent it on 6 bits. The last sum will provide a result within 
distance 1/8 of )Ufc< 7aet s/Jfy x ip] 0 mod 2, and can be done with a circuit of 
constant degree. Using Lemma 13. 1 1 we obtain that the result is within 1/4 of an 
integer. 

We now concentrate on the first sum. Let the Cfc’s be fixed-point approxima- 
tions to the [ tk X ip] o’s, with some precision p. We have £k < 2~ p with £k = 
c k — [tk x ip] q. As the Cfc’s for k < 7 se t are iid, so are the e^’s, k < 7 se t- Also, 
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we will ensure that E[sp\ = 0 for any k < 7 set . The following lemma leads to a 
probabilistic error bound for the sum of the Cfc’s. 

Lemma 5.1. Let e\,...,e t be iid variables with values in [— e, e] and such 
that E[ep] = 0 for all k. Then \Ylk<t £k \ > £ ■ w(\/log A) with probability 

negligibly small with respect to A. 

Proof. We apply Hoeffding’s inequality to the ep’s. We have Pr[| J2 £ k \ > x] < 
exp(—x 2 /(2 te 2 )), for any x > 0. We take x = y/te ■ w(-v/k>g A). □ 

We use this lemma with e = 2~ p and t = 7 s „b — 1 (i.e., the number of 
non-zero spsps for k < 7 su b)- It indicates that taking p = \\og 2 lsub + 
w(loglogA) suffices to ensure that with probability negligibly close to 1 we 
have I Sfc< 7set s k(cp — \fk x ip]o) mod 2| < 1/32. Truncating the result to 5 
bits after the binary point cannot add more than an error of 1/32. 

5.2 Expliciting the Computation of the Cfc’s in Enc" 

In order to be able to apply Lemma 15.11 we have to ensure that E[ep] = 0 for 
any k < 7 se t • To guarantee the latter and that this computation enjoys a limited 
complexity bound, the Cfc’s need to be computed carefully. 

We are given tk and ip, and wish to compute a (1 + p)-bit approximation cj, 
to [tk X -0 ] 0 mod 2. As J is a degree 1 prime ideal, vector ip is in fact an integer 
modulo det(J). We are thus interested in computing [t/-]o ■ ip modulo 2. We 
explicit this computation in Figure 01 


Inputs: Vectors tk and ip, and precision p. 

Output: A precision (1 +p) real Ck €. [—1, 1] with \ck — ([tk x ip ] 0 mod 2)| < 2~ p . 

1. p' := log 2 det(J) +p+ 1; 

2. Compute the closest precision (1 +p') number tk £ [—1, 1] to [tfc]o- 

3. Compute c' k := ikip exactly. 

4. Reduce c' k modulo 2, while preserving its sign (the result belongs to [—1, 1]). 

5. Round c'k to the closest precision (1 + p) number Ck € [—1, 1]. 


Fig. 4. Computing coefficient Ck for algorithm Enc" 


Lemma 5.2. The algorithm of Figure is correct. Furthermore, if the vector tk 
is chosen uniformly in J -1 mod 2 with uniformly random choice of sign when 
a coordinate of tk belongs to { — 1,1}, then E[r k ] = 0, where ep = c k — ([tk X 
ip] 0 mod 2). 

Proof. At Step 2 of the algorithm, we have \tp — [tfc]o| < 2~ p -1 . As ip is exact 
and belongs to [0,det J), we have [tpip— [tk]oip\ < 2~ p '~ 1 det(J) < 2~ p ~ l . Thus, 
at Step 3, we have \d k — [tp x ip] o| < 2~ p ~ 1 . The rounding of Step 5 leads 
to \cp - ([t k X ip] 0 mod 2)1 < 2~ p ~ 1 + 2 ~ p ~ 1 = 2~ p . 
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To prove the second statement, we use the symmetry of the distribution of tk- 
It implies that E[[tk X i / j \ o mod 2] = 0. We now use the same property to show 
that E[ck] = 0. At Step 2, changing tk into —tk has the effect of changing tk 
into —tk- This implies that at Step 3, changing tk into —tk has the effect of 
changing d k into —c' k . Due to the symmetry of the rounding to nearest, this 
carries over to Ck and £k at Step 5. □ 

Note that the choice of rounding to nearest is not benign: the above proof 
strongly relies on the symmetry of the rounding with respect to 0. 

5.3 Decreasing the Decryption Circuit Depth 

We now want to compute J2 k <-/ set Sk ° k mod 2, where the Ck s are fixed-point 
reals with precision p = \\og 2 lsub + w(log log A). Instead of computing the 
Hamming weights Wj for j G {0, . . . , p} as in the proof of Theorem 13.11 we 
compute only the bits Wjx (for 0 < l < [log 2 7 ) that are going to contribute 
to 7 set SkCk mod 2: the most significant bits are rendered useless by the 
reduction modulo 2. Most interestingly, these unnecessary most significant bits 
were the ones requiring the higher degree circuits to evaluate. More precisely, we 
have: 


E 


p 

sfeCfe = y 


j=0 



W jA 2~ j+e 


v 3 + 1 

= E E w J,i 2 ~ i+e m ° d 2 - 


Lemma run now implies that the desired sum mod 2 can be computed cor- 
rectly with probability negligibly close to 1 with respect to A, by evaluating an 
arithmetic circuit of size Voly(pf su d) corresponding to a polynomial of degree 
exactly 2 P+1 = -JUUi, ■ w(\/log A). Overall, we get: 

Theorem 5.1. The scheme SqHom is bootstrappable as long as 


o;(V^iA)< 


log r' Dec 

log {r E nc ■ 7x ■ (t + 1)) ' 


6 Asymptotic Efficiency 

We now use the improvements described in the two previous sections to derive 
bounds for the complexity of Gentry’s fully homomorphic scheme. 


6.1 Optimizing the Parameters in Gentry’s Scheme 

The table below summarizes and compares the conditions for Gentry’s scheme 
to be 2 A -secure and correct. The semantic security of SomHom / is related to the 
hardness of 7-BDD for 7 = r' D ec /r Enc . Recall that r' Dec = Ai (J)/Voly(n). Recall 
also that J is an ideal lattice, and thus we have Ai(J) > det(J) 1 /" = q l / n /2 
(where q is the SYSSP determinant of Section 0J . As a consequence, it suffices 
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to ensure that 7-BDD is hard to solve for 7 = g 1 /" /(rEncPoly(n)). We use the 
lattice reduction ‘rule of thumb’ to derive a sufficient condition. As the encryptor 
is limited to polynomial-time algorithms, we can safely assume that n = Voly(X). 
Also, since / = x n + 1, we have 7 X = y/n. Finally, by choosing rsnc = 'Poly(X), 
the ciphertexts have sufficient entropy to prevent any exhaustive search. 


Condition 

| This article 

BDD resistant to lattice attacks 

pfiwty ^ c " /A 

SSSP resistant to birthday paradox 

t dr >2* 

SSSP resistant to lattice attacks 

7sei = 12 (log q) 

= !2(logg) 

Bootstrappability achieved 

Jaub < ‘e’floK X) 

Vt ^b< roMilPx) 


To fulfill these conditions, we set 7 su f, = 0(A), n = 0(A 15 ), log q = <9 (A 2 ) 
and 7 se t = <9(A 15 ). In 0 Ch. 12], these values were 7 su b ~ A, n « A 2 , log q ~ A 3 
and 7 S et ~ A 3 respectively. 

6.2 Bit Complexity 

The Re crypt procedure consists in expanding the ciphertext ip as described in 
algorithm Enc" of SqHom, encrypting the bits of the expanded ciphertext with the 
new public key pk 2 , and then applying algorithm Dec" homomorphically, using the 
encrypted ciphertext bits and the encrypted secret key ski (under pkd). We also 
consider the cost of homomorphically evaluating an elementary add/mult gate. 

Let us first bound the cost of computing the c^’s in Enc", calling 7, set times 
the algorithm from Figure 0] First, note that Steps 1 and 2 should not be done 
within Enc", but at the key generation time, i.e., in KeyGen". Note that during 
the third step of KeyGen", one should also pay attention to perform the reduction 
modulo (2) such that the assumption of Lemma 15.21 holds. The quantity d k ob- 
tained at Step 3 of the algorithm from Figure 0 ] is encoded on 0(log q) bits, and 
its computation can be performed in 0(log q) bit operations, using fast integer 
arithmetic m The costs of Steps 4 and 5 are negligible. Overall, the computa- 
tion of the Cfc’s in Enc" can be done in 0(7 se t log q ) = 0(A 3 ' 5 ) bit operations. 

The secret key is made of 7 set = <9(A L5 ) bits. The bit-length of the encrypted 
secret key is 7 set log q = 0(A 3 ' 5 ). To encrypt the bits of the c^’s under phi , we 
use Samp = 0, as explained in 0 Re. 4.1.1], i.e., we consider as encrypted values 
the bits themselves. 

Let us now explain how algorithm Dec" is implemented. We concentrate on 
the most expensive part, i.e., the (homomorphic) computations of 0(log 7 su b) = 
0(1) Hamming weights of vectors in {0, l} 7set . Let (ax, . . . , a 7fiet ) be such a vector. 
As explained in 0 Le. 5] (which relies on 0 Le. 11]), it suffices to compute the 
developed form of the polynomial Y\ k<laet (% — a*,). Recall that in Section 0 we 
showed that we are interested in only a few coefficients of the result, corresponding 
to monomials of degrees O ( ^7 su b) . For the sake of simplicity (and with a negligible 
cost increase), we compute the full developed form anyway, and then throw away 
the spurious coefficients. Our circuit here differs from those of j2fil5] and 0 Ch. 9] 
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as we use fast polynomial multiplications and a tree-based construction instead of 
school-book multiplications and Horner’s method, to lower the overall asymptotic 
complexity. Note that the circuit is over the integers, and evaluates an integer 
polynomial whose coefficients of interest have small multiplicative degrees in the 
inputs. We compute the developed form of Y\ k<lxet ( x ~ a k) with a binary tree: 

• At level 0, we have the linear factors (x — a k ). 

• At level i, we have 7 se t/2* polynomials of degree 2* that are the products of 
the linear factors corresponding to their binary subtrees. 

• A father of two nodes is obtained by multiplying his two sons, with a quasi- 
linear time multiplication for polynomials over rings that uses only ring 
operations 0 . 

The size of each ^ircuit that allows to move from sons at level i — 1 to 
father at level i is 0(2 l ). The overall number of add/mult integer gates is there- 
fore 0(7 S et). While evaluating this circuit homomorphically, each gate corre- 
sponds to an add/mult modulo Bj k , i.e., thanks to our choice for J, to an 
add/mult of two integers modulo det(J), whose bit-length is 0(log q). The over- 
all complexity of Dec" is 0{pf S et log q) = 0(A 3 ' 5 ). 

To summarize, Recrypt for 1 plaintext bit costs 0(A 3 ' 5 ) bit operations (com- 
pared to the bound 0(A 6 ) claimed in 0 Ch. 12]). And the cost of homomor- 
phically evaluating an elementary add/mult gate is also 0(A 3 ' 5 ). The secret s 
and the public key (Bj k ; ti, . . . , i-, set ) are respectively encoded on 7 set = (9(A 15 ) 
and 0(n log g + 7 S et log g) = 0(A 3 5 ) bits. 

7 Open Problems 

It would be interesting to relax our assumptions f = x n + 1 and I = (2), in 
case other choices prove interesting (see the full version for I = (2, x + 1)). An 
important question is to assess the practical impact of our results (see f 26112] 
for implementations of Gentry’s scheme). At the end of 0 Se. 12.3], Gentry 
suggests using non-independent SplitKey vectors t, to lower the costs. The idea 
is to encode n vectors = xHi mod x n + 1 using only t,. This leads to a faster 
amortized cost per plaintext bit using the plaintext domain Z 2 [x\/f(x). However, 
it is not clear how to homomorphically decrypt with such a variant, as one is 
now restricted to more complex circuit gates than addition and multiplication 
modulo 2. 
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A Smaller Keys 

In 0 Se. 4.3], Gentry suggests to re-use the same key-pair for all levels of the fully 
homomorphic scheme derived from Theorem 12. 21 This allows one to significantly 
decrease the key-sizes of the boostrapped fully homomorphic scheme. This strat- 
egy can be proved secure if the underlying bootstrappable homomorphic encryp- 
tion scheme is assumed or known to be KDM-secure 0 Th. 4.3.2]. Our lower-degree 
decryption may fail with non-negligible probability after the first refreshing of a 
ciphertext, as our technique does not handle the non-independence of the cipher- 
text and the secret key. To circumvent this issue, we randomize the ciphertext to 
waive its possible non-independence with the secret key. Note that this technique 
is similar in flavor to Gentry’s modified scheme providing circuit privacy (HI Se. 7]. 

Consider algorithm Enc" of SqHom. The condition required for the proba- 
bilistic technique described in Section 0 to work is that the ciphertext ip = 
7 rf r mod B p (where r G (2) and ||r|| < r' Dec ) is independent of the Vs. 
This fact, together with the iid-ness of the Vs, implies that the rounding er- 
rors £, in computing the c,’s, are iid, as required to apply Hoeffding’s bound. 
In the key-reuse application, the internal randomness r of ip may depend on 
the V s (due to a previous refreshing). To circumvent this, we randomize the 
ciphertext ip = n + r mod B pk into another ciphertext ip’ = n + r‘ mod B pk 
for the same message 7 r but with internal randomness r' G (2) which is almost 
independent of the Vs. More precisely, given the Vs, the distribution of r' is 
within negligible statistical distance from the (Vindepeiident) distribution 2U, 
where U is the uniform distribution on the origin-centered ball of radius r' Dec l p 
with p any negligible function of A such that log p = 0(1) (e.g., p = X~ log A ). 

We compute ip' by adding to ip an encryption of 0 with sufficiently large ran- 
domness compared to the randomness in ip,i.e., we set ip' = ip+C mod B pk , where 
C is sampled from 2U. If we replace the decryption radius r' Dec by r" Dec = T+ffj) 
in Lomma l3.2l then the correctness of the scheme is preserved, as ip and ip' both 
decode to the same plaintext via algorithm Dec'. This has a negligible effect for 
the asymptotic efficiency (see Section K7~T|l . Assume that ip = 7r + r mod B pk 
with ||r|| < r' Dec . Let us consider the statistical distance between the distribu- 
tions r + 2U and 2 U. As a ball of radius r , Dec /p — r' Dec is contained in the inter- 
section of the two balls of radius r' De J p corresponding to U and r + U, we obtain 
that the statistical distance under scope is at most n ■ p, and hence negligible. 
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Abstract. Group signature schemes allow users to sign messages on 
behalf of a group while (1) maintaining anonymity (within that group) 
with respect to an outside observer, yet (2) ensuring traceability of a 
signer (by the group manager) when needed. In this work we give the 
first construction of a group signature scheme based on lattices (more 
precisely, the learning with errors assumption), in the random oracle 
model. Towards our goal, we construct a new algorithm for sampling a 
basis for an orthogonal lattice, together with a trapdoor, that may be of 
independent interest. 

1 Introduction 

Group signature schemes uni allow users to sign messages on behalf of a group 
administered by some manager. The group is initialized by having the group 
manager generate master public and secret keys; upon admission to the group, a 
user is given a personal secret key that is derived from the master secret key by 
the manager. A member of the group can sign a message using their personal se- 
cret key, enabling anyone who knows the master public key to verify that some 
group member signed the message. Roughly, group signatures are required to 
satisfy two seemingly contradictory requirements: given some legitimate group 
signature a, the group manager should be able to determine which member of the 
group issued a ( traceability ), but no one other than the group manager should be 
able to determine any information about the signer ( anonymity ). Group signa- 
tures have proven to be a popular primitive, and since their introduction several 
constructions have been proposed both with random oracles 15101 1 dll ( 111 4122) and 
without |8I9I4I1 111212 Ij . 

While there exist constructions of group signature schemes based on trapdoor 
permutations I8l!)j , such schemes serve only as proofs of feasibility and are far from 
practical. On the other hand, practical schemes are based on a relatively small set 
of assumptions: namely, the strong RSA assumption |5I6I1 .'11221 and various as- 
sumptions related to groups having an associated bilinear map jlDlllllIl 111 212 1 j . 
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In this work we show the first construction of a group signature scheme from 
assumptions related to lattices. The use of lattice-based assumptions in cryp- 
tography has seen a flurry of activity in recent years. In part, this is due to a 
general desire to expand the set of assumptions on which cryptosystems can be 
based (i.e., beyond the standard set of assumptions related to the hardness of 
factoring and solving the discrete logarithm problem). Relying on lattice-based 
assumptions offers several concrete advantages as well: such assumptions are 
appealing because of the known worst-case/average-case connections between 
lattice problems, and also because lattice problems are currently immune to 
quantum attacks. Even restricting to classical attacks, the best-known algorithms 
for solving several lattice problems require exponential time (in contrast to the 
sub-exponential algorithms known, e.g., for factoring). Finally, relying on lattices 
can potentially yield efficient constructions because the basic lattice operations 
manipulate relatively small numbers and are inherently parallelizable. 

While our resulting construction is less efficient than existing schemes based 
on number-theoretic assumptions, our construction is significantly more efficient 
than the generic approaches of that rely on NIZK proofs based on a Karp 
reduction to some NP-complete language. (Peikert and Vaikuntanathan J2EJ con- 
struct NIZK proofs for specific lattice problems, however their results are not 
directly applicable to our work.) 

1.1 Our Techniques 

Our construction combines ideas from several different works, tying these to- 
gether using a new technical tool described below. At a high level, our group 
signature scheme follows a template similar (but not identical) to that of Bel- 
lare et al. jHj ■ The master public key in our scheme includes a public key pkn 
for a public-key encryption scheme, along with n signature verification keys 
pk\, . . . ,pJcn- The personal secret key given to the itli group member is ski, 
the signing key corresponding to pk, . To sign a message M, the group member 
(1) signs M using skp, (2) encrypts the resulting signature using pks\ and then 
(3) provides a NIZK proof of well-formedness (namely, that the given ciphertext 
encrypts a signature on M relative to one of the pki). This implies anonymity 
(since no one other than the group manager knows the decryption key skE cor- 
responding to p/cb), yet ensures traceability because the group manager can 
decrypt the ciphertext that is included as part of any valid group signature. 

To instantiate this approach using lattice-based assumptions, we need to iden- 
tify candidate signature and encryption schemes along with an appropriate NIZK 
proof system. While constructions of the former based on lattices are known, we 
do not currently have constructions of NIZK for all of NP from lattice-based 
assumptions and we will therefore have to tailor our scheme so that it can rely 
on (efficient) NIZK proofs for some specific language. This is explained in more 
detail in what follows. 

For the underlying signature scheme we use the GPV signature scheme m 
that works roughly as follows. The public key is a basis A £ Z”* m for a random 
lattice. To sign a message M, the signer uses a trapdoor T to find a “short” vector 
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e £ Z m with Ae — H(M) (where if is a hash function modeled as a random 
oracle). Under suitable assumptions, finding such a short vector e without the 
trapdoor is hard. 

We encrypt the resulting signature using what can be viewed as a non- 
standard variant of the Regev encryption scheme m Given a matrix B £ Z™ x rn 
(viewed as a public key) , we encrypt e £ Z m by choosing a random vector s £ Z" 
and outputting the ciphertext z = B T s + e. Effectively, e here is being used as 
the noise in an instance of the “learning with errors” (LWE) problem |2Zj. Before 
going further, we stress that this “encryption scheme” is not semantically secure. 
However, it turns out that we need something much weaker than semantic se- 
curity in order to prove anonymity of our scheme; roughly, all we need is that 
the encryption of a uniformly random e £ Z"' is computationally indistinguish- 
able from the encryption of a vector e chosen from a certain discrete Gaussian 
distribution. We defer further discussion to Section CO 

As described thus far, our group signature scheme would have a master public 
key consisting of verification keys Ai, . . . , Ajv along with an encryption key B; 
a signature would include z = B T s + e, where e is such that A,e = H(M ) for 
some i, along with a proof of well-formedness of the ciphertext z. Constructing 
the proof of well-formedness turns out to be the most difficult aspect of our 
work, and it will be useful to modify our scheme a bit in order to help con- 
struct this proof. (In doing so, we also rely on specific properties of the GPV 
signature scheme.) We change our scheme as follows: Now, the master public 
key contains N verification keys Ai, . . . , Ajv (as before) and also N encryption 
keys Bi, . . . , Bjv- To sign a message M, user i computes a real signature e* (us- 
ing the trapdoor associated with A *) and “pseudo-signatures” e } for all j ^ i. 
Each “pseudo-signature” ej has the property that A, e ? = H(M), however ej 
is not short (and thus not a valid signature). All the {e ; }^ :l are then encrypted 
as before, with each e,- being encrypted using B j to give a ciphertext z j. We 
then have the signer provide a proof that (1) each z j encrypts a correct pseudo- 
signature with respect to A j, and (2) at least one of these pseudo-signatures is 
in fact short (and hence a valid signature). Further details are given next. 

To provide a way for the signer to prove that every ciphertext z j encrypts 
a pseudo-signature, we develop a new technical tool that we believe to be of 
independent interest: a way to sample a basis for an orthogonal lattice with its 
associated trapdoor Q Specifically, we show a technique that, given a matrix B, 
generates (A, T) such that AB T = 0 (mod q) and T is still a “good trapdoor” 
(in the sense required for GPV signatures) for A. If we use matrices { A, ; } gen- 
erated in this way as verification keys in the group signature scheme described 
earlier, then it is possible to verify that a given ciphertext z y encrypts a pseudo- 
signature with respect to A j by checking whether A y z ? A H(M). This works 
because 

AjZj = A, • (B j Sj + ej) = Aje-j = H(M) 

by construction. 

1 For our definition of an orthogonal lattice, see Section E| 
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The only thing that remains is to provide a proof that at least one of the z j 
encrypts a vector ej that is also short. This translates to proving that at least one 
of the vectors z, = B J s ? + e 3 is “close to” the lattice generated by the columns 
ofBj. This can be done using the (statistical) zero-knowledge protocol demon- 
strated by Micciancio and Vadhan J2H| , coupled with standard techniques |1 711 8| 
for making the proof witness indistinguishable and noninteractive in the random 
oracle model. 

In essence, we obtain our efficiency gain by coupling together the encryption 
and the signature components so that the NIZK proof system we need to use is 
for a very simple language. 


1.2 Outline of the Paper 

We introduce some notation and review the necessary background on lattices in 
Section |21 For the reader who is already familiar with lattices, we highlight the 
following aspects of our treatment that are new to this work: 

— In Section 12.21 (cf. Lemma QJ) and in the rest of the paper, we consider the 
LWE problem under a non-standard error distribution. Fortunately, a recent 
result of Peikert E3 demonstrates that the hardness of the LWE problem 
under this distribution is implied by standard hardness results. 

— In Section 12.41 we describe a technique for sampling a basis for an orthogonal 
lattice and its associated trapdoor. 

We turn to group signatures in Section E3 We review the standard definitions of 
security for group signature schemes in Section 13.11 describe our construction in 
Section 13.21 and prove anonymity and traceability in Sections 13.31 and 13.41 

2 Preliminaries on Lattices 

Throughout, we use n for the security parameter; other parameters are taken to 
be functions of n. When we say “statistically close” we mean “within statistical 
difference negligible in n.” 

We review some basic properties of lattices as used in prior work. This section 
is included mainly to fix notation and ideas, and we refer to the original papers 
(cited below) for further exposition. 

We use bold lower-case letters (e.g., x) to denote vectors, and bold upper- 
case letters (e.g., B) to denote matrices. (Our vectors are always column vec- 
tors.) We let ||x|| denote the Euclidean (i.e., t-i) norm of the vector x, and let 
| |B 1 1 denote the maximum of the Euclidean norms of the columns of B; i.e., if 
B = (bi| • • • |b„) then ||B|| d = max* ||b;||. We let B = (tq | • • • |b n ) denote the 
Gram-Schmidt orthogonalization of B, defined iteratively in the following way: 
bi = bi, and for each i = 2, ... ,n, si is the component of s, orthogonal to 
span(si, . . . ,Si_i). If x £ R, then [a:] denotes the rounding of x to the nearest 
integer. 


A Group Signature Scheme from Lattice Assumptions 399 


For q an integer, Z g denotes the standard group of integers modulo q. We 
will extend modular arithmetic to the reals in the obvious way: for example, for 
q £ Z + and x £ M we use x mod q to represent the unique real number y £ [0, q) 
such that x — y is an integer multiple of q. Finally, we define a notion of distance 
between elements in Z q in the natural way: given x. y £ Z q , their distance is 
defined by mapping ( x — y) mod q to the set of integers {— \_q/2 \ , . . . , [q/ 2J } and 
then taking the absolute value of the result. 

Fixing q and given a matrix B £ Z q Xm , we define the m-dimensional lattice 
£( B T ) as £(B T ) = f { y £ Z m | y = B T s mod q for some s £ Z"}. We define the 
orthogonal lattice /^(B) as d^(B) = f {w £ Z m | B • w = 0 mod q}. (Note that 
the notion of an orthogonal lattice is defined differently in some previous work.) 
Finally, for a vector z £ Z™ we define 

dist(£(B T ),z) = f min s£Z n ||B T s-z||. 

In other words, dist(£(B T ), z) is the distance of z from the lattice spanned by 
the columns of B T . 


2.1 Gaussian Error Distributions 


The one-dimensional (continuous) Gaussian distribution over R, parameterized 
by s £ K + , is defined by the density function 

\/x £ M : D s (x) = 1/s ■ exp(— n(x/s) 2 ). 


In this work we always use a truncated Gaussian, i.e., the Gaussian distri- 
bution D s whose support is restricted to numbers x £ M such that \x\ < 
s ■ a;(V log n). The truncated and non-truncated distributions are statistically 
close, and we drop the word “truncated” from now on. The m-dimensional 
continuous Gaussian distribution is defined in a similar way, by the density 
function D s (x) = l/s m ■ exp(— 7r(||x||/,s) 2 ). Finally, we denote by D s c the Tri- 
dimensional continuous Gaussian distribution centered at the point c £ R m . i.e., 
D s , c(x) = l/s m ■ exp(— 7r(| |x - c| |/s) 2 ). 

Let A C Z m be a lattice. The discrete Gaussian distribution Da. s ,c is the 
m-dimensional Gaussian distribution centered at c, but with support restricted 
to the lattice A. (We write Da, s as shorthand for Da, s , o-) Formally, the density 
function of the discrete Gaussian distribution is defined as 


Vx £ A : 


Da,s,c(x) = 


Ds, c(x) 

J2yeA D sAy) 


Gentry et al. [El show that given a basis B for A, this distribution can be sam- 
pled efficiently (to within negligible statistical distance) for s > \ |B| | • u>(\/ log n). 


2.2 The Learning with Errors Problem 

The “learning with errors” (LWE) problem was introduced by Regev j 23 as 
a generalization of the “learning parity with noise” problem. We describe the 
problem in a form suitable for our applications in this paper. 
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Fix a positive integer n, integers m > n and q > 2, a vector seZJ, and 
a probability distribution \ on the interval [0, q) rn . Define the following two 
distributions over Z” xm x [0, q) m : 

- LWE mi?iX (s) is the distribution obtained by choosing uniform A £ Z" Xm , 
sampling e <— x> and outputting (A, A T s + e mod q). 

— U m , q is the distribution obtained by choosing uniform A £ Z™ x rn and uni- 
form y £ [0, q) m , and outputting (A, y). 

The decisional variant of the LWE problem (relative to the distribution x) can be 
stated informally as the problem of distinguishing between f/ m . q and LWE m)9jX (s) 
for a uniform s. Formally, for m, q, and \ that may depend on n (viewed now 
as a security parameter) we say the LWE m>9>x problem is hard if the following is 
negligible for any probabilistic polynomial-time algorithm D: 

|Pr[s - Z”; (A, y) - LWE ro ,,, x (s) : D(A,y) = 1] 

- Pr[(A,y) *— f7 TOj9 : D(A,y) = 1]| . 

A standard setting for the LWE problem considers the error distribution FJf over 
[0, q) m defined as follows: Sample m numbers rii, ... . r] rn ■*— D a , let e l := q ■ rji 
(mod q), and output e := (ei, . . . , e m ) T . We write L\NE ml]a (s) as an abbrevia- 
tion for LWE m ,,,^(s). 

Evidence for the hardness of the E\NE rnqa problem comes from a result of 
Regev j22j, who gave a quantum reduction from approximating certain lattice 
problems to within a factor of 0(n/a) on n-dimensional lattices in the worst 
case to solving LWE m . f; a , subject to the condition that a ■ q > 2 y/n. Recently, 
Peikert |21 gave a classical reduction for similar parameters. For our purposes, 
we note that the L\NE rnqo problem is believed to be hard — given the state- 
of-the-art in lattice algorithms — for any m,q = poly(n) and a = l/poly(n) 
(subject to the above condition). 

A second error distribution for the LWE probleu0 — and one that we will 
use in this paper — is the discrete Gaussian distribution (mod q). Al- 

though this distribution may seem similar to a discretized (rounded) version of 
these distributions are statistically far from each other and thus we cannot 
immediately conclude anything about the hardness of the LWE problem with 
respect to one distribution from hardness of the LWE problem with respect to 
the other. Fortunately, a recent result of Peikert 121 can be used to show that 
hardness of the LWE problem with respect to error distribution Di m . a .. q .^/2 is 
implied by hardness of the LWE problem with respect to error distribution 
We write LWE m q aq ^ as an abbreviation for LWE m , / 3 ?m 

Lemma 1. For any a, hardness of the LWE . problem implies hardness of 
the LWE m g ag ^/2 problem. 

2 When using a discrete error distribution x over Z("' (rather than a continuous distri- 
bution over [0, q ) m ), the LWE problem is to distinguish LWE m ,q iX from the uniform 
distribution over Z" Xm X Z^ 1 (rather than Z” xm X [0, q) m ). 
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Proof. We show an efficient transformation T that takes as input (A, y) G 
jnxm x [Q ) q'j m. anf ] } las the following properties: 

— If (A,y) is uniform over Z” Xm x [0, q) rn then the output T(A,y) is uniform 
over Z£ xm x Z™. 

— If (A, y) is distributed according to LWE m iJ Q (sj then T(A,y) is distributed 
according to LWE m q agv ^(s). 

The lemma follows immediately from these two properties. 

The transformation T works as follows. Given (A, y), it samples a vector 
w <— Djm_ y aq and outputs the pair (A,y + w (mod q)). 

First, say (A, y) is distributed uniformly over Z” xm x [0, q) m . Note that y + w 
is always an integer, and the distribution w <— Djm_ yaq depends only on the 
fractional part of each entry in y. It follows that (A, y+w (mod q)) is distributed 
uniformly over Z q xm x Z™. 

On the other hand, say y = A T s + e (mod q) where e ~ PJf. Since we 
have A T s G Z m , sampling w ~ Dz m - y ,a. q (mod q) is equivalent to sampling 
w ~ Djm._ eoq (mod q). A recent theorem of Peikert |23 Theorem 3.1] shows 
that the following two processes produce statistically close distributions: 

— Sampling e ~ P™ and then setting e' = e + Djm_ e aq (mod q)\ 

— Sampling e' ~ £> Z m,a<n /2 (mod q). 

We conclude that the output T( A,y) = (A, A T s+ (e + w) (mod g)) is dis- 
tributed according to LWE m g aqv ^(s). 

2.3 Trapdoor Functions and the GPV Signature Scheme 

Ajtai |2j and Alwen and Peikert [3j show algorithms that generate an almost uni- 
form matrix A G Z q xm together with a “trapdoor” matrix T G Z mxm satisfying 
the following conditions: 

Lemma 2 (0)- There is a probabilistic polynomial-time algorithm TrapSamp 
that, on input 1", l m , q with q> 2 and m > 8nlogg, outputs matrices A G Z q xm 
and T G Z mXm such that: 

— The distribution on A as output by TrapSamp is statistically close to uniform 
over Zi q xm , 

— the columns of T form a basis of the lattice A- 1 (A), implying in particular 
A • T = 0 (mod q), 

— || T|| = 0(n log q) and ||T|| < C-\Jn log q, for some absolute constant C < 40. 

Given an “LWE instance” (A, y = A T s + e) for a “short” vector e, knowledge 
of T can be used to recover s. Specifically, if ||T|| < L and e is drawn from P™ 
for a < 1/(L ■ w(\/Togn)), then s can be easily recovered. This is done by first 
computing 

T T y (mod q) = T t (A t s + e) (mod q) = (AT) t s + T T e (mod q) 

= T T e (mod q). 


402 S.D. Gordon, J. Katz, and V. Vaikuntanathan 


Since both T and e contain only “small” entries, each entry of the vector T T e 
is smaller than q and thus T T e (mod q) is equal to T T e (over the integers). 
Multiplying by (T t ) _1 thus gives e, after which it is easy to recover s. 

The GPV signature scheme. Gentry, Peikert, and Vaikuntanathan m showed 
how to use the trapdoor sampling procedure described above to construct a 
one-way preimage-sampleable function. This can then be turned into a digital 
signature scheme using an “FDH-like” construction jZj. (See [TTJ] for a formal 
definition of preimage-sampleable functions and the construction of the signature 
scheme.) Here, we describe how the preimage-sampleable function works. 

Take q = poly(n), m > 8n log q, and s > C ■ y / n log q ■ w(y / fog n) (where the 
constant C is from Lemma EJ). The one-way preimage-sampleable function is 
defined by the following algorithms: 

— GPVGen(l") runs TrapSamp(l", l m , q) to obtain (A, T). The matrix A 

(and q) defines the function /a (e) = Ae (mod q), with domain {e G Z m : 
||e|| < s-y/m} and range Z”. Hardness of inversion is with respect to the 
distribution over the domain. 

— The trapdoor inversion algorithm GPVInvert(A, T, s, u) samples from /a 1 ( u ) 
as follows: first, it computes (using standard linear algebra) an arbitrary 
t G Z m such that At = u (mod q) (except for a negligible fraction of A, 
such a t always exists). Then it samples and outputs e <— D A . (A)+t,s- 

The above function is one-way if GapSVP is hard on the worst-case for polyno- 
mial approximation factor 7 [T] . 

2.4 Sampling an Orthogonal Lattice with Trapdoor 

We show a variant of the trapdoor sampling algorithm described in Lemma El 
In our variant, the algorithm is additionally given a matrix B G Z” x and 
(informally) should output a matrix A G Z” xm with an associated trapdoor 
T G Z mxm with the additional requirement that the rows of A are orthogonal 
(over Z q ) to the rows of B. In other words, we require that AB T = 0 (mod q). 

Overview of the construction. The basic idea is as follows. Write B as 



with B 2 a square, invertible matrix of dimension n x n. We then generate an 
orthogonal matrix A = [Ai | A 2 ] in two steps. We generate the first component 
Ai using the TrapSamp protocol. Recall, this returns a matrix that is statistically 
close to uniform, along with an associated trapdoor Ti. Once we have chosen 
Ai the second component A 2 is constrained to a fixed value by the requirement 
that AB t = 0 (mod q): we thus generate A 2 by solving the linear equations 
that define this constraint. 

All that remains is to find a trapdoor T such that the columns of T are short 
and A T = 0. Here we rely on the recent basis delegation techniques of Cash 
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et al. Eli which allows us to “extend” the basis Ti into a larger basis T for 
A- 1 (A) as desired. The details follow. 

Lemma 3. There is a probabilistic polynomial-time algorithm OrthoSamp that 
on input 1", l m , q (with q > 2 and m> n + Snlogq) and a matrix B £ Z” xm 
whose columns span Z”, outputs matrices A £ Z^ xm and T £ Z mxm such that: 

— AB t = 0 (mod q). Moreover, the distribution on A is statistically close to 
uniform over Z” xm , subject to this condition, 

— the columns of T form a basis of the lattice A- 1 (A), implying in particular 
A • T = 0 (mod q), 

— Furthermore, each column ti of T is distributed (independently) according 
to D A : (A), S ; where s = C ■ \Jn log q ■ cu(\/log m) and C is the constant from 
Lemma OJ 

Proof Let mi = 8 n log q and m 2 = n. Write 



where Bi £ Z™ 1 xn and B 2 £ Z" l2Xn . Furthermore, we require that the square 
matrix B 2 has full-rank, i.e., its rows span Z” (such a decomposition of B into 
Bi and B 2 can always be found since the rows of B T span Z”). 

The algorithm OrthoSamp works as follows: 

1. Compute (Ai,Ti) *— TrapSamp(l", l mi , q). Let A 2 £ Z^ xm2 be a uniformly 
random matrix satisfying 


A 2 B 2 = — A 1 B 1 (mod q) 


Since B 2 is invertible over Z f; by construction, A 2 can be computed as 
— AiBiB^" 1 (mod q). If the columns of Ai do not span Z”, output T. This 
occurs only with negligible probability. 

2. Extend the basis Ti into basis T' £ Z™ xm for A- 1 (A) using the technique 
of Cash et al. [E3 Lemma 3.2]. We present their technique for completeness. 
Let T' be of the form 



where W £ Z™ lXm2 is an arbitrary matrix satisfying AiW = — A 2 , and 
I £ Z™ 2 x rn ' 2 is the identity matrix. (Note that W exists by the assumption 
that the columns of Ai span Z" . ) 

3. Randomize the basis T' into a “random basis” T. This is done by running 
the RandBasis algorithm of Lemma 3.3] on T' using parameter s 
I • u>(-\/log m). Output A = [Ai | A 2 ] and T. 
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We now verify that this algorithm satisfies the required properties. First observe 
that 

AB t = A1B1 + A 2 B 2 = A1B1 — A1B1 = 0 (mod q). 

The claim regarding the distribution of A follows directly from the construction. 
We also have 

A T' = [Ai|A 2 ] • (Jq Y) “ t A i T i + A 2° I AiW + A 2 ] = 0 (mod q), 

where the final equality holds because AiTi = 0 by the properties of TrapSamp, 
and AiW = — A 2 by construction. Thus, T' is a basis for /1 X (A). Finally, since 
T is the result of running RandBasis on T'. T is also a basis for /1 X (A). 

Finally, from the work of Cash et al. |H3, we know that |T'| < ||Ti|| = 
0(y/n log q). Thus, by the property of the RandBasis algorithm from ITHl . each 
column of T is independently distributed according to D y i-l(a), s where s = 
C ■ V n log q ■ w(vTogm). 

The following corollary follows from the above construction, and will be used in 
the security proof of our signature scheme. 

Corollary 1. The distributions 

{B <— Z” xm ; (A, T) «- OrthoSamp(l", l m , q, B) : (A, T,B)} 

and 

{(A, T') <— TrapSamp(l n , l m , q)\ T <— RandBasis(T / ); 

(B,S) 4- OrthoSamp(l", l m , q, A) : (A, T, B)} 

are statistically close. 


2.5 Efficient NIWI Proofs for Lattice Problems 

Let Bi , . . . , Bjv G Z” xm and zi , . . . , zjy G Z™. In this section we briefly describe 
how it is possible to construct a noninteractive witness-indistinguishable (NIWI) 
proof (in the random oracle model) for the gap language L sr/ = (L Y es,Lno) 


defined by: 





L Y es = | 

frv 

:i)l 

3s G T n q and i G [iV] : 

||zi-Bfs|| < ssfiH J 

Lno = | 

Ot: 

■ '.5)1 

Vs G and i G [iV] : 

z i — Bfs >7 -sy/m 


Here, L Y es is a collection of N points at least one of which is close to the 
corresponding lattice, and L,vo is a collection of N points all of which are far 
from the corresponding lattices. 
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Our starting point is an (interactive) witness-indistinguishable (WI) proof 
system for the gap version of the closest vector problem, i.e., for the language 

Z/ 7 = {L'yeS’L'no} E0E3 : 

L'yes = {(B,z,t) | 3 s : ||z — B T s|| < t} . 

L'no = {(B,z,t) | Vs : ||z — B T s|| > 7 • t} . 

Our language L, 7 can be described as the OR of several instance of L'\ that is, 

. e Lvf s ^ V (( B ^ z ii s v^n) e l' yes ). 

( ) * w • A 

We can thus use the techniques of Cramer, Damgard, and Schoenmakers m to 
obtain an interactive WI proof for L s>7 with negligible soundness error. Using 
the Fiat-Shamir transformation ESI, the resulting protocol can be made non- 
interactive in the random oracle model. 

We remark that for our application we only require soundness (and do not 
require the proof system to be a proof of knowledge) and witness indistinguisha- 
bility (rather than zero knowledge). The observations in this section are sum- 
marized in the following lemma. 

Lemma 4. Let 7 > 0(^/m/ log to). Then there is a noninteractive witness- 
indistinguishable proof system for the language T Si7 in the random oracle model, 
where the length of the proof is OimnN log q) bits. 

3 A Group Signature Scheme Based on Lattices 

3.1 Definitions 

We adopt the definition of group signature schemes from the work of Bellare, 
Micciancio, and Warinschi |£$, with the relaxation suggested by Boneh, Boyen, 
and Shacham EH (and considered also in, e.g., m- Formally, a group sig- 
nature scheme QS = (G.KeyGen, G. Sign, G.Vrfy, G. Open) is a collection of four 
polynomial-time algorithms defined as follows. 

— The group key- generation algorithm G.KeyGen(l", 1 ^) is a randomized algo- 
rithm that takes a security parameter 1" and the group size 1^ as input, and 
outputs (PK,TK,gsk), where PK is the group public key, TK is the group 
manager’s tracing key, and gsk is a vector of N signing keys with gsk[j] being 
the signing key given to the i th group member. 

— The group signature algorithm G.Sign(gsk[i], M) is a randomized algorithm 
that takes as input a secret signing key gsk[i] and a message M, and outputs 
a signature a. 
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— The group signature verification algorithm G.Vrfy(PK, M, a) is a determin- 
istic algorithm that takes as input the group public key PK, a message M, 
and a signature cr, and outputs either 1 or 0 (signifying accept or reject, 
respectively). 

— The opening algorithm G.Open(TK, M, a) is a deterministic algorithm that 
takes as input the tracing key TK, a message M, and a signature a, and 
outputs an identity i £ [TV], 

The basic consistency requirements of a group signature scheme are that an 
honest signature generated by a group member should be accepted as correct, 
and must be traceable to the group member who issued it. That is, for any 
(PK,TK,gsk) output by G.KeyGen(l”, 1^), any M, and any i 6 [N], if a <— 
G.Sign(gsk[i], M) then 

G.Vrfy(PK, M, a) = 1 and G.Open(TK, M, a) = i, 

except with negligible probability over the entire experiment. 

Group signature schemes are also required to satisfy two basic security prop- 
erties: anonymity and traceability. Anonymity means that without the tracing 
key it should be infeasible to determine which group member issued a particular 
signature (even given all the signing keys). Bellare et al. jH] defined a “CCA- 
version” of this notion, where the adversary is given access to a tracing oracle. 
Following m we use a 1 2 ‘CPA-version” of anonymity where such oracle access is 
not given. 

Definition 1. A group signature scheme QS = (G.KeyGen, G.Sign, G.Vrfy, 
G.Open) is anonymous if for all polynomials N(-) and all probabilistic polynomial- 
time adversaries A, the advantage of A in the following experiment is negligible 
in n: 

1. Compute (PK,TK,gsk) <— G.KeyGen(l”, 1^) and give (PK,gsk) to A. 

2. A outputs two identities io,ii G [AT], along with a message M. A random bit 
b is chosen, and A is given G.Sign(gsk[fy], M). Finally, A outputs a bit b' . 

A succeeds (denoted Succj ifb ’ = b, and the advantage of A is |Pr[Succ] — ||. 

Traceability means that it should be infeasible for an adversary who corrupts 
some set of users C to output a valid signature that cannot be traced to some 
member of C. 

Definition 2. A group signature scheme QS = (G.KeyGen, G.Sign, G.Vrfy, 
G.Open) is traceable if for all polynomials N(-) and all probabilistic polynomial- 
time adversaries A, the success probability of A in the following experiment is 
negligible in n: 

1. Compute (PK,TK,gsk) <— G.KeyGen(l”, 1^) and give PK and TK to A. 

2. A may query the following oracles adaptively and in any order: 

- A Corrupt oracle that on input i e [N] returns gsk[i]. 

— A Sign oracle that on input i,M outputs G.Sign(gsk[i], M). 
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Let C be the set of identities queried to Corrupt. 

3. At some point, A outputs a message M and a signature a. 

A succeeds if (1) G.Vrfy(PK, M, a) = 1 and (2) Sign(f,M) was never queried for 
i&C, yet (3) G.Open(TK, M, a) $C. 

3.2 Our Construction 

We let n be the security parameter, q = poly(n) , m > 8n log q and s > C\Jn log q- 
cn(\/log m) be parameters of the system. We let H : {0, 1}* — > Z£ be a hash 
function, to be modeled as a random oracle. 

G.KeyGen(l", 1^): First compute (Bi, Si), . . . , (B w , Sjv) *— 

TrapSamp(l", l m , q) and then, for 1 < i < N, compute (Aj,Tj) <— 
OrthoSamp(l", l m , g, Bj). Output PK = ^(A*, Bj)^.^ as the public key, 

TK = ( Si )f =1 as the tracing key, and gsk = (Ti)^, 1 as the users’ signing 
keys. 

G.Sign(gsk[j], M): To sign message M using secret key gsk[j] = T 7 - , choose 
random r *— {0,1}", set M = M\\r, and then compute = H(M\\i ) for 
1 < i < N. Then: 

- Compute ej <— GPVInvert(A ;/ , T J; s. h ? ). 

- For i ^ j, choose e, : G Z™ uniformly subject to the condition that 
Aje, = hj (mod q). 

For all i, sample Sj f— and compute Zj = BJ’s, + e l (mod q) G Z” 1 . 
Finally, construct an NIWI proof ir for the gap language L sr/ as dis- 
cussed in Section land using the witness (sj,i)). Output the signature 
(r,zi, . . . ,zjv,7t). 

G. Vrfy(PK, M, cr): Parse the signature as (r, zi, . . . ,zjv,7t) and set M = M\\r. 

Output 1 iff the proof n is correct, and A,z, = H(M\\i) (mod q) for all i. 
G.Open(TK, M, cr): Parse the signature as (r, zi, . . . ,zjv,7t). Using the {S*}, 
output the smallest index i for whidQ dist(T(Bf),z i) < sV^- 

We first check correctness. Let (r, zi, . . . , zjv, 7r) be a signature produced by an 
honest signer. It is clear that 7r is a valid proof. Moreover, for any i we have 

AjZj = Aj(Bfsj + ei) = A iei = H(M\\i) (mod q), 

and so verification succeeds. Correctness of the opening algorithm follows easily. 

Theorem 1. Let m,q, and s be as described above. If LWE mi?i „ is hard for 
a = s/(qV 2), and the proof system used is witness indistinguishable, then the 
group signature scheme described above is anonymous. If GapSVP T is hard for 
7 = 0(n log 3 4 n), then the group signature scheme described above is traceable. 

3 Soundness of the proof system ensures that if a is valid, then some such i exists 

except with negligible probability. 
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We note that for values of s as described above, the hardness of LWE m)(J)Q 
is implied by the difficulty of finding a quantum algorithm for approximating 
GapSVP^, for 7 = 0(n/a ) ££ZI, so our entire scheme can be based on the diffi- 
culty of finding a quantum algorithm for GapSVP. 

We prove anonymity in Section Id., SI and traceability in Section IS. 41 

3.3 Anonymity 

Fix A = poly(n) and let A be a ppt adversary attacking the group signature 
scheme in the sense of Definition [fl Let Go denote the experiment of Definition Q] 
with 6 = 0, and let Gi be the same experiment with 6=1. We consider a sequence 
of experiments Go, Gq, G) , Gi and show that each experiment is indistinguishable 
from the one preceding it. This implies anonymity. 

We review Go as applied to our group signature scheme. First, the key- 
generation algorithm G.KeyGen(l", 1^) is run and A is given the public key 
PK = and the users’ secret keys gsk = (Tj)^ 1 , where each B, 

is statistically close to uniform and (A, , T,) <— OrthoSamp(T\ l rn . q, B,). (The 
tracing key TK is irrelevant in the CPA- version of the anonymity experiment that 
we are considering.) Next, A outputs io, i±, M, and is given a signature of user io 
on M, computed as follows. Let hj = H(M\\r\\i), for a random r £ {0, 1}". Then 
ej 0 is computed as e ,; 0 <— GPVInvert(A , 0 , T i(J , s, h io ), whereas e* (for i *o) is 
chosen uniformly subject to the condition that A,e,; = hj (mod q). Then, for 
all i £ [IV], choose random Sj <— Z q and compute Zj = Hj s, + e t . Finally, a 
proof 7 r is generated and A is given the signature (r, zi, . . . ,zjv,7r). 

In Gq we introduce the following modification with respect to Go: when gen- 
erating the signature, we now compute ej 0 <— GPVInvert(A, a , T,; 0 . s. h, (J ) and 
ejj <— GPVInvert(Aj 1 , Tj 15 s, hjj. (For j g {* 0 ,*i}, the value ej is computed as 
before.) 

Claim. If the VSNE rn q a problem is hard, then Go and Gq are computationally 
indistinguishable. 

Proof. Recall (cf. Lemma QJ that hardness of the LWE mf;a problem implies 
hardness of the LWE m q aqs /^ problem. We use A to construct a ppt algorithm 
T> for the LWE m q aq ^ problem. T> is given as input (B, y) £ Z” xm x Z" 1 , where 
B is uniform and y is either uniform or equal to B T s + e for e ~ D Jm aqs f^,. 

V first chooses a random index i* <— [A] and sets Bj» = B. For all i i*, it 
chooses Bj uniformly at random. Then, for 1 < i < A algorithm V computes 
(Aj,Tj) <— OrthoSamp(l", l m , g,Bj). It gives PK = ^(A^Bj)^^ and gsk = 
(Tj) Aj to A. All A-queries of A are answered with random elements from the 
appropriate domain. 

Eventually A outputs two identities io- ij £ [A] along with a message M. If 
i* 7^ i\ then V outputs a random bit and aborts. Otherwise, V creates a signature 
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by choosing random r € {0,1}” and fixing h,, = f H (M\\r\\ii) = A,, y. (The 
value h, = H(M\\r\\i) for i ^ i\ is chosen uniformly.) Then V computes ej 0 <— 
GPVInvert(A, 0 , T. t0 . s, h, 0 ) and, for i £ {*o,*i}> chooses e t uniformly subject to 
the condition that A,e,; = hj (mod q). (V does not explicitly compute any value 
eq.) For i ^ i\, the ciphertext Zj is computed as in Go and G' 0 . However, V sets 

z»i = y- 

Let and denote the above experiment when D ' s input y is imiformly dis- 
tributed. We claim that A’s view in V Tand is statistically close to its view in Go- 
Indeed: 

— In Go we have hq chosen uniformly in Z”; then e,;, is chosen uniformly 
subject to A^e^ = h^; and finally Zq = B^s^ + e^. 

— In Drand we have z Vl = y = B^s^ + e u for e u chosen imiformly in Z” 1 ; 
then hjp = A^e^. 

To see that these are statistically close, we demonstrate that the choice of 
in Go is statistically close to uniform over Z™. We view A as a function from 
Z” 1 — > Z ”, and note that this function is regular. Furthermore, since the columns 
of A generate all of Z” with all but negligible probability (over the choice of A), 
our randomly chosen h is uniform over the image of A. For a regular function, 
choosing a uniform element from the image, followed by a uniform element from 
its pre-image, is equivalent to choosing a uniform element from the domain, as 
is done in £> rant j. 

On the other hand, let T>lwe denote the above experiment when V’s input y 
is distributed according to y = B T s + e for e ~ D zm aqs /^- We claim that A/s 
view in T>lwe is statistically close to its view in Gq. Indeed: 

— In experiment Gq we have h,, chosen uniformly in Z”. Next, we compute 
e ix ■<— GPVInvert(A il ,T il ,s, hjj; and finally z^ = B^s^ + eq. 

— In Vlwe we have Z{ x = y = B^s^ + for eq ~ then = 

Aqejj. 

The above are easily seen to be statistically close for our choice of parameters, 
again using the results of |TT| . Since the probability that V does not abort is 1 /N, 
and its decision to abort is independent of A’s success, the proof is complete. 

The rest of the proof of anonymity is straightforward, and so we merely pro- 
vide a sketch. Experiment G{ is identical to Gq with the exception that the proof 
7r is now computed using the witness (s M , i\ ) rather than (s l0 , io). Witness indis- 
tinguishability of the proof system implies that G{ and Gq are computationally 
indistinguishable. 

Computational indistinguishability of G' x and Gi (the experiment from Defi- 
nition [Q with 6=1) can be proved exactly as in the proof o the previous claim. 

3.4 Traceability 

Fix N = poly(n) and let A be a ppt adversary attacking the group signature 
scheme in the sense of Definition |3 We construct a ppt forger T for the GPV 

4 Note that, except with negligible probability, H(M\\r\\ii) has not been queried thus 
far. 
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signature scheme [El (in the random oracle model) whose success probability 
is polynomially related to that of A. Since the GPV signature scheme is secure 
assuming hardness of the GapSVP problem, this completes the proof. 

We first observe that we may, without loss of generality, assume that A never 
corrupts all users in [N] because A can succeed with only negligible probability 
in this case. (Given a valid signature (r, zi, . . . , zjv, 7 r), soundness of the proof 
system implies that G.Open outputs some i e [N] except with negligible proba- 
bility.) We will assume this in what follows. 

T is given a public key A for the GPV signature scheme, and begins by 
choosing a random index i* £ [iV] and setting A,. = A. Next, it computes 
the values (Bj*,Sj*) <— OrthoSamp(l n , l rn , q. A,. ). For all the remaining in- 
dices i i*, the forger computes the values (Bj, Sj) <— TrapSamp(l", l m , q) and 
(A,, Tj) <— OrthoSamp(l n , l m , q, Bj) exactly as in the legitimate key-generation 
algorithm. After this, T gives PK = (Aj, B,)^ and TK = (Sj)^ 1 to A. We 
note that by Corollary E the distribution of these keys is statistically close to 
the distribution that is expected by the adversary. 

T answers random oracle queries of A by simply passing these queries to its 
own random oracle. T responds to the other queries of A as follows: 

- Corrupt(i): if i ^ i* then T gives Tj to A, while if i = i* then T aborts. 

— Sign(i, M): If i 7^ i* then T computes the signature using Tj and the honest 
signing algorithm. If i = i*, then: 

1. T chooses random r £ {0, 1}" and queries its own signing oracle on the 
message M||r||i*. It receives in return a signature e,*. 

2 . The remainder of the signature is computed using the honest signing 
algorithm. (Note that computation of ej» the only aspect of signing that 
relies on the secret key of user i*.) 

Let C denote the set of identities that A has queried to Corrupt. (Recall that 
if T has not aborted, then i* 0 C.) At some point A outputs a message M 
and signature a = (r, zi, . . . ,zjv,7t). Assume G. Vrfy(PK, M, cr) = 1 , and that 
Sign (i, M) was never queried for i 0 C. Since T has the tracing key TK, it can 
compute j <— G. Open(TK, M, a). If j ^ i* then T aborts. Otherwise, T does: 

1 . Use S j* to recover ej* such that 

- 1 1 e j* 1 1 oo < Sy/m, and 

- Zj» - ej* € £(B J,). 

2. Output the forgery (M||r||U, ej*). 

Let e denote the probability with which A succeeds in the experiment of Defi- 
nition |3 It is easy to see that T aborts with probability at mos 10 ( N — 1 )/N 
and, conditioned on not aborting, the view of A when run as a sub-routine 
by T is statistically close to its view in the experiment described in Defini- 
tion |3 Thus, with probability at least e/N it holds that A outputs (M, a) with 

8 Actually, T aborts with probability at most (N— l)/JV+negl(n), where the negligible 
term arises from the possibility that A violates soundness of the proof system. We 
ignore this for simplicity. 
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G.Vrfy(PK, M, a) = 1 and G.Open(TK, M, a) = i*, and where A never queried 
Sign(i*, M). We show that whenever this occurs, then T outputs a valid forgery 
(except with negligible probability) . 

Fix (M, <r) such that the above hold, and let a = (r, zi, . . . ,z n ,tt). Since 
G. Open(TK, M, a) = £*, this implies that T will indeed be able to recover e,;- 
such that (1) ||e»»|| 0o < s^/m and (2) z — e^» G Moreover, since 

G.Vrfy(PK ,M,a) = 1 we have A^.z;. = H(M\\r\\i*); since A*. (z*. - e 4 .) = 0 
this means Aj»ej* = H(M\\r\\i*). Thus e** is a valid GPV signature on the 
message M||r||i*. Since A never queried Signfi*, M), we know that T never 
queried its own signing oracle for a signature on M||r||i*. It follows that the 
output of T is indeed a valid forgery. 

Acknowledgments. We thank Chris Peikert for pointing out that the results 
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Abstract. Blind signatures (BS), introduced by Chaum, have become 
a cornerstone in privacy-oriented cryptography. Using hard lattice prob- 
lems, such as the shortest vector problem, as the basis of security has 
advantages over using the factoring or discrete logarithm problems. For 
instance, lattice operations are more efficient than modular exponentia- 
tion and lattice problems remain hard for quantum and subexponential- 
time adversaries. Generally speaking, BS allow a signer to sign a message 
without seeing it, while retaining a certain amount of control over the 
process. In particular, the signer can control the number of issued sig- 
natures. For the receiver of the signature, this process provides perfect 
anonymity, e.g., his spendings remain anonymous when using BS for 
electronic money. 

We provide a positive answer to the question of whether it is possible 
to implement BS based on lattice problems. More precisely, we show how 
to turn Lyubashevsky’s identification scheme into a BS scheme, which 
has almost the same efficiency and security in the random oracle model. 

In particular, it offers quasi-linear complexity, statistical blindness, and 
its unforgeability is based on the Jiardness of worst-case lattice problems 
with an approximation factor of 0(n 5 ) in dimension n. Moreover, it is the 
first blind signature scheme that supports leakage-resilience, tolerating 
leakage of a (1 — o(l)) fraction of the secret key in a model that is inspired 
by Katz and Vaikuntanathan. 

Keywords: Blind signatures, post-quantum, lattices, provable security, 
leakage resilience. 

1 Introduction 

Since Chaum proposed his idea of blind signatures |Cha82| . it has become an im- 
portant primitive for anonymous Internet banking, e- voting (e.g., jllHUAGZOTj ). 
as well as for oblivious transfer |CNSAVj . These applications will retain their im- 
portance in both, near and far future. As for the near future, we are convinced 
that current factoring and discrete logarithm based instantiations are efficient 
and secure. But for how long? 

Today, when building provably secure cryptographic schemes, one also has to 
anticipate emerging technologies that may lead to new attacks. This is why we 
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typically try to use the mildest possible assumptions. Let us consider the example 
of quantum computers as a metaphor for these future developments. In the 
quantum-age, the cryptographic assumptions change with the leap in computing 
power that quantum computers will provide. There are only a few cryptographic 
assumptions that are conjectured to be post-quantum, i.e., they are considered to 
withstand quantum computer attacks. One of those assumptions is the hardness 
of finding short vectors in a lattice. Even for today, there are benefits when 
building cryptography upon hard lattice problems because, unlike factoring, they 
withstand subexponential attacks and the best known algorithms, e.g., jIAKSOlj . 
have an exponential complexity in the lattice dimension. Furthermore, lattice 
problems typically allow a worst-case to average-case reduction that goes back 
to Ajtai |Ajt96| . It states that a randomly chosen instance of a certain lattice 
problem is at least as hard as the worst-case instance of a related lattice problem. 
Thus, choosing secure keys is easy. This reduction was later on adapted to work 
with ideal lattices by Lyubashevsky and Micciancio |LlVlU(jj because ideal lattices 
offer a compact public-key representation and very efficient operations at the 
expense of a slightly stronger assumption. 

The security model, mainly influenced by Juels, Luby, and Ostrovsky j.lhOQVj 
as well as Pointcheval and Stern psnnj . requires blind signature schemes to sat- 
isfy blindness and one-more unforgeability. Blindness states that the signer must 
not obtain any information on the signed messages and one-more unforgeability 
means that an adversary cannot obtain more signatures than there were inter- 
actions with the signer. 

Our Contribution. We construct the first lattice-based blind signature scheme. 
It is inspired by Lyubashevsky’s ID scheme |Lyu08| in combination with the 
Fiat-Shamir paradigm jKSSfij . It is unconditionally blind, selective-failure blind 
and one-more unforgeable in the random oracle model (fsT?.93l if stan- 
dard lattice problems in ideal lattices |LM0fi| are hard in the worst-case. With 
its four moves it is quite efficient. All operations have quasi-linear complexity and 
all keys and signatures require a quasi-linear amount of storage bits, with respect 
to the main parameter n. Moreover, it is leakage resilient according to a model 
inspired by Katz and Vaikuntanathan |KV()9| . Let L be the bit-length of the 
secret key. Our scheme remains secure, even if the adversary obtains L{ 1 — o(l)) 
bits of the secret key via arbitrary side channels. This brings the security model 
closer to reality, where the adversary may obtain information about the secret 
key, e.g, via (remote) timing attacks or by having physical access to the signing 
device. When applied in e-voting or e-cash schemes, such a resilience also helps 
against insider attacks and may improve the trust that we are willing to grant 
these schemes. Another application of our construction is identity-based blind 
signatures, when combined with jRiiclOj . 

Our scheme is also the first leakage resilient blind signature scheme and our 
results in this respect are applicable to Lyubashevsky’s ID and signature schemes 
|Lyu(J81 [Ly u()9| . It may be possible to use an analogue of Pointcheval and Stern’s 
approach jPSOOj to turn the leakage resilient variants jKVObl lADWObj of the 
Okamoto-Schnorr signature scheme |Sch91l l( )ka ,9‘2| into blind signature schemes. 
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Table 1. Comparison of RSA, Okamoto-Schnorr, and our blind signature scheme 


Scheme 

Secure until Security (bits) Moves 

KeyGen 

Sign 

Verify 

RSA- 1229 

2012 

Current (76) 

2 

95 ms 

16 ms 

5 ms 

RSA-3313 

2050 

Medium (102) 

2 

1250 ms 

46 ms 

6 ms 

RSA-15424 

2282 

Future (256) 

2 

251849 ms 

2134 ms 

20 ms 

OS-1229 

2012 

Current (76) 

3 

16 ms 

64 ms 

24 ms 

OS-3313 

2050 

Medium (102) 

3 

46 ms 

184 ms 

69 ms 

OS-15424 

2282 

Future (256) 

3 

2134 ms 

8536 ms 

3201 ms 

Section El (n 

= 1024) 2012 

Current (76) 

4 

37 ms 

220 ms 

33 ms 

Section El ( n 

= 2048) 2050 

Medium (102) 

4 

52 ms 

283 ms 

57 ms 

Section El ( n 

= 8192) 2282 

Future (256) 

4 

305 ms 

1175 ms 

320 ms 


The table compares our scheme with RSA and Okamoto-Schnorr for various moduli 
according to lben()5| (Current, Medium) and IKCH.10I (Future). The bitlengths can be 
computed on www.keylength.com. For our blind signature scheme, we propose three 
optimized parameter sets for the same security levels based on |RS1()| . which provides 
a framework for choosing secure parameters for lattice-based cryptography. Note that 
the parameters for RSA and OS do not take potential quantum-computer attacks into 
account. All timings are averaged over 1000 random instances. 

However, it is unclear whether this will actually work and whether it will be 
efficient. 

Table [Q compares RSA and Okamoto-Schnorr (OS) blind signatures with our 
construction in terms of computational cost. For all schemes, we propose param- 
eter sets for current, medium, and future security levels. We believe that RSA 
is a good basis for comparison because it is easy to understand and very effi- 
cient as signing only involves two modular exponentiations and verification can 
be done in a single one (small exponent). We do not count multiplications. As 
observed in piJNFSOdj . the security of the RSA blind signature scheme is based 
on a specially tailored interactive assumption that is stronger than the original 
RSA assumption |BMV08j . Taking all this into account, the timings observed for 
RSA provide an optimistic lower bound for current practical and secure schemes. 
The timings for OS are expected timings based on the number of modular expo- 
nentiations, not counting multiplications. We include OS because it follows the 
typical 3-move structure and is based on a standard assumption. It is therefore 
closer to our protocol. The timings were obtained on an AMD Opteron CPU, 
running at 2.3 GHz. For RSA and OS, we have used OpenSSL 0.9.8g, which is 
supposed to be very efficient. For our blind signature schemes, we did a straight- 
forward implementation, which certainly leaves room for improvements. Here, 
the timings reflect the full scheme. 

From Table [TJ we clearly see that our scheme benefits from its quasi-linear 
complexity, especially in higher levels of security. In addition, for our scheme, we 


416 M. Riickert 


can have various trade-offs between signature size and speed. For more details, 
refer to the full version |H.iic08j . There, we also show how to optimize the key 
and signature sizes, which are typically large in lattice-based constructions. 

We believe that our work is an important contribution because the previous 
efficient constructions, such as |CEaH2l IEB97 psoo, Abcoi bnpso.H ITRWfRl 
l( )ka.()6| , have one thing in common: they are built upon classic number theoretic 
assumptions, like the hardness of factoring large integers or computing discrete 
logarithms. The more recent approaches, e.g., by Boldyreva jBolfl.lj or Okamoto 
|()ka()6| . tend to use pairings that yield very elegant constructions. They, how- 
ever, are again based on the discrete logarithm problem in this specific setting. 
None of the above schemes remains secure in the presence of reasonably large 
quantum computers, where both factoring and computing discrete logarithms 
become easy due to the seminal work of Shor IS i k i!)7 . 

Main Obstacles. For every blind signature scheme, one has to overcome three 
basic obstacles. The scheme needs to be blind, one-more unforgeable, and at the 
same time complete. Blindness and unforgeability are already somewhat orthog- 
onal because granting the user too much power to ensure blindness harms un- 
forgeability and vice-versa. Since working with lattices, we do not have access to 
a cyclic group structure as in schemes that are based on the DDH or DL assump- 
tions. There, blindness is typically easier to achieve by multiplying the message 
with a random group element. The result is again a random group element. 

In lattices, we need to emulate this over an infinite structure via a filter- 
ing technique that is inspired by |Lyu08| . However, this technique introduces a 
completeness defect that even affects the interaction of an honest user with an 
honest signer. Thus, the protocol may need to be restarted. We show how this 
technique can be refined to allow a time-memory trade-off, reducing the num- 
ber of expected restarts at the expense of only slightly larger signatures. When 
addressing this defect, we need additional means to ensure blindness over repe- 
titions of the protocol. Our solution involves a statistically hiding commitment. 

Similarly, the completeness defect has implications with respect to unforge- 
ability as the user may claim that the protocol has failed, whereas it was indeed 
successful. Here, we extend the typical three-move structure to a four-move struc- 
ture where the user needs to demonstrate that he or she could not obtain a valid 
signature. Such a last move, from user to signer, is highly unusual for blind sig- 
nature schemes. We solve this issue by designing a special proof of failure and 
by employing a computationally binding commitment scheme. 

All these issues, and the additional leakage resilience, need to be addressed 
simultaneously as they are interconnected. This leads to an intricate process of 
correctly setting up the numerous parameters and sets for our scheme in Table El 
RSA-style Blind Signatures. One might think that RSA-style (hash — > blind 
— ► invert — > unblind) lattice-based blind signatures can be implemented using 
the preimage sampleable trapdoor function / : D C Z m — » Z” from j( i PV08I . 
If certain lattice problems are hard, it is hard to sample preimages from D 
(small norm) unless one knows short vectors x such that f(x) = 0. The user 
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would hash the message M using a full-domain hash h <— H(M) and blind using 
M* <— h+f(fj) for 3 £ D. The signer would sample from f~ 1 (M*)r\D and return 
the result a*. The function is compressing, so there are no unique preimages. 
Using 3 and the fact that / is linear, the user can compute er <— a* — /?, which 
passes verification: /(cr) = f(a*) — /(/?) = H (M*). For the proof, one would rely 
on an interactive “one- more 11 trapdoor inversion assumption akin to |BNPS().‘i| . 
However, the adversary must never obtain a non-zero x £ D such that f(x) = 0 
because this would imply learning a piece of the secret key. Unfortunately, such 
an attack is easy: take u £ D and send M* = f(u) to the signer, who returns 
a*. Now, x = u — a* is small and f(x) = 0. Also, x ^ 0 with high probability 
because there are many preimages of f(u). 

Organization. After a brief preliminaries section, we propose our blind signa- 
ture scheme in Section 0 There, we also provide a detailed analysis, including 
completeness, blindness, one-more unforgeability, and leakage resilience. The full 
version of the paper is jRucfl&j ■ There, we discuss how to choose practical pa- 
rameters and prove all supporting lemmas for the theorems in Section £3 


2 Preliminaries 

With n, we always denote the security parameter. The joint execution of two 
algorithms A and B in an interactive protocol with private inputs x to A and y 
to B is written as (a, b) <— (A(x),B(y)). The private outputs are a for A and b for 
B. Accordingly, ( A(x),B(y )) means that the interaction can take place up to k 
times. The statement $X means that x is chosen uniformly at random from 
the finite set X. Recall that the statistical distance of two random variables X, Y 
over a discrete domain D is defined as A(X, Y) = 1 /2 J2 aen Prob [ X = a] — 
Prob [ Y = a] |. A function is negligible if it vanishes faster than 1 /p(n) for any 
polynomial p. All logarithms are base 2 and we identify {1, . . . , k} with [A] . 

We recall the definitions of blind signatures and commitments. Afterwards, 
we briefly recall some facts from lattice theory. 


2.1 Blind Signatures 

A blind signature scheme BS consists of three algorithms (Kg, Sign, Vf), where 

Sign is an interactive protocol between a signer S and a user U. The specification 

is as follows. 

Key Generation. Kg(l") outputs a private signing key sk and a public verifi- 
cation key pk. 

Signature Protocol. Sign(sk, M ) describes the joint execution of S and U. The 
private output of <S is a view V and the private output of if is a signature 
s on the message M £ M with message space M under sk. Thus, we write 
(V,s) «- <5(sk),W(pk,Af)). 

Signature Verification. The algorithm Vf(pk,s,M) outputs 1 if s is a valid 
signature on M under pk and otherwise 0. 
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Completeness is defined as with digital signature schemes, i.e., every honestly 
created signature for honestly created keys and for any messages M £ M. has 
to be valid under this key. Views are interpreted as random variables, whose 
output is generated by subsequent executions of the respective protocol. Two 
views Vi and V 2 are considered equal if they cannot be distinguished by any 
computationally unbounded algorithm with noticeable probability. 

As for security, blind signatures have to satisfy two properties: blindness and 
one-more unforgeability umsaEsna. The notion of blindness is defined in an 
experiment Exp^L n g S , where the adversarial signer S* works in three modes. In 
mode find, it chooses two messages Md, Mi and interacts with two users in mode 
issue. Depending on a coin flip b, the first (second) user obtains a blind signature 
for Mb (Mi_b). After seeing the unblinded signatures in the original order, with 
respect to Mo, Mi, the signer has to guess the bit b in mode guess. If either of the 
user algorithms fails in outputting a valid signature, the signer is merely notified 
of the failure and does not get any signature. Below, we deal with aborts as an 
extension. Also note that we allow the adversary to keep a state that is fed back 
in subsequent calls. A scheme BS is (t, £)-blind, if there is no adversary S*, 
running in time at most t, that wins the above experiment with advantage at least 
5 , where the advantage is defined as Adv^gj = jprob [ Exps!Tg S (n) = lj — ~|. 
A scheme is statistically blind if the it is (oo,£)-blind for a negligible S. The 
second security property, one-more unforgeability, ensures that each completed 
interaction between signer and user yields at most one signature. It is formalized 
in the experiment Exp^ f BS , where an adversarial user tries to output j valid 
signatures after t < j completed interactions with an honest signer. H is a 
family of random oracles. 

A signature scheme BS is ( t , c/sign , c/h , £)-one-more unforgeable if there is no ad- 
versary A, running in time at most t, making at most (/sign signature queries and 
at most c/h hash oracle queries, that wins the above experiment with probability 
at least 5. 

2.2 Extensions 

We consider three extensions to the above security model for blind signatures: 
one deals with user aborts, the second with dishonestly chosen keys, and the 
third with leakage resilience. 

Security Under Aborts. Blindness in the previous subsection does not cover 
the case where the protocol is aborted prematurely. There is the strengthened 
notion of selective failure blindness |C1NS()7| . where the malicious signer may 
choose either Mo or Mi according to some secret distribution that makes the 
protocol fail. Preventing this generically is easy as was shown by Fischlin and 
Schroder in [FS09] . In the course of the discussion of our construction, we argue 
that it already is blind in this sense. 

Adversely-chosen Keys. Consider the blindness experiment in |AJNJN()6j . In- 
stead of having the experiment select pk, sk, we can let the signer output pk. 
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Blindness may be harder to achieve in this setting. However, our construction 
remains blind in this stronger model as the proof does not exploit specifics about 
the key. 

Leakage Resilience. Resilience to key leakage is a way to ensure security 
against side-channel attacks. In jKVflflj . Katz and Vaikuntanathan give a nice 
overview of past developments and the evolution of leakage resilience for au- 
thenticity and secrecy. Obviously, we are interested in authenticity in the special 
case of blind signatures. We model key leakage in the unforgeability experiment 
by adding a leakage oracle Leak(-) to Exp£^ BS . The adversary can adaptively 
query Leak with a series of functions fi, i £ {1,...,«}, and receives /i(sk). 
The only restriction is that 1 | /V (sk) < A(|sk|), where the function A de- 
termines the amount of leakage that we are willing to tolerate. Notice that the 
signer’s key does not have to evolve over time and its secret state consists of 
the secret key only. Furthermore, observe that this extension is only sensible 
as long as A(|sk|) < min{|sk|, |s|}, where | ■ | denotes bit-length and s is a sig- 
nature. Otherwise, the adversary could easily obtain the entire secret key or 
a signature of its choice. See the full version |B.iic()8l| for the experiment. To 
demonstrate leakage resilience, one has to show that the conditional min-entropy 
i/ 00 (sk|Leak(sk)) = min sk '{— log(Prob [sk = sk' |Leak(sk)] )} of the secret key is 
still sufficiently large to prove security. 

2.3 Commitments 

Commitments typically work in two phases. First, one party publishes a com- 
mitment C = com(M;r) G {0,1}”, r<— ${0,1}”, to a message M G {0,1}* 
without revealing any information about it. This is the “hiding” property of the 
commitment scheme. In the second phase, the party can prove that C actually 
corresponds to M by revealing r. It is important that no algorithm can find a 
second message M' and randomness r' such that C = com (AT; r'), i.e., break the 
“binding” property. As usual, these properties are defined for families of such 
commitment functions. A scheme is (t. <5)-liiding (-binding) if there is no algo- 
rithm running in time at most t that can break the hiding (binding) property 
with probability at least 6. Both properties can be satisfied computationally 
or unconditionally but there is no scheme that is unconditionally hiding and 
unconditionally binding [ColfMj . 

For our scheme, we assume a statistically ^com-hiding and computationally 
(icom, 5com) -binding commitment scheme. As we are interested in fully lattice- 
based schemes, we would like to point out that such commitment schemes can 
be built upon hard lattice problems |KTX08| but in practice, one rather uses 
cryptographic hash functions as a message a uthentication code. For example, 
using a lattice-based hash function |ADL + 08| . 

2.4 Lattices 

A lattice in R” is a discrete set A = {JA =1 a b, | Xi G Z}, where bi , . . . , b<j 
are linearly independent over R. The matrix B = [bi, . . . , b f y] is a basis of the 
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lattice A and we write A = /1(B). The dimension of the lattice is d. The main 
computational problem in lattices is the shortest vector problem (SVP), where 
an algorithm is given a description, a basis, of a lattice A and is supposed to 
find the shortest vector v £ A \ {0} with respect to a certain i p norm (up to 
an approximation factor). More precisely, find a vector v £ A \ {0}, such that 
||v|| p < 7 ||w|| p for all w £ A \ {0} for a fixed approximation factor 7 > 1. 

In this work, we are interested in a special family of lattices related to ideals in 
the ring R = Z ff [X]/(g), where q is prime and Z q = {— (q— l)/2, . . ., (q— l)/2}. 
We focus on g — X n + 1 and n = “power of two” for efficiency reasons but it 
may be replaced by any irreducible polynomial over Z. Then, our scheme and 
the analysis become only slightly more involved. We identify f £ R with its 
coefficient vector f = (/o, . . . , f n - 1) € Z”. Furthermore, we denote elements of 
the R- module R m with a = (a 0 , . . . ,a m _i) or directly with (do, . . . , a mn _i) £ 
Z™". Consequently, we define ||f = ||(/o, . . . , /n-i)!^- The norm on R is a 

slight abuse of notation, but it will only be used if f has small coefficients over 
Z. A lattice corresponds to an ideal I C R if and only if every lattice vector is 
the coefficient vector of a polynomial in I. The SVP problem easily translates to 
ideal lattices, where we call it ideal-SVP (ISVP). 

The average-case hardness assumption for our construction relies on the prob- 
lem of finding short vectors in the kernel of the family Tt(R,m) of module ho- 
momorphisms /lagRm : R m — > R, xna®x = JJ™ q 1 aixi, when restricting the 
domain to D' C R, i.e., restricting the coefficients in the input to [—2d, 2d] fl Z. 
This problem can be stated as the following collision problem jLMOfij . 

Definition 1 (Collision Problem). The collision problem Col(Tt(R,m), D) 
asks to find a distinct pair (x, x') £ D m x D m such that h(x) = h(x') for 
h<—$H(R,m). 

Obviously, the function is linear over R m , i.e., h( a(x + y)) = a(/i(x) + h( y)) 
for all a £ R, x, y £ R m . In addition, solving Col(Tt(R,m), D) implies being 
able to solve ISVP°° in every lattice that corresponds to an ideal in R by the 
following theorem. 

Theorem 1 (Worst-case to Average-case, Theorem 2 in | lLM06j ). Let 

D = {f £ R : < d}, to > log(g)/log(2d), and q > 4dmn\/n\og(n) . 

An adversary C that solves the Col(h,D) problem, i.e., finds distinct preimages 
x, y £ D m such that h(x) = h(y), can be used to solve ISVP 00 with approximation 
factors 7 > 16dmnlog 2 (n) in the worst case. 

3 Blind Signatures from Ideal Lattices 

We construct a lattice-based blind signature scheme. It is secure in the random 
oracle model under a worst-case assumption in ideal lattices and its time and 
space complexity is quasi-optimal, (D[n). 

The road map for this section is as follows: We describe the 4-move blind 
signature scheme BS. Then, we prove completeness, blindness, and one-more 
unforgeability. Proving completeness is non-trivial as we need to address an 
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Table 2. Parameters for the security parameter n 


{f € R : IlflL <d a -d t =: d..} 


<d y — nd s de • =: do,} 


ability, completeness defect 


(f £ R : ||f|L < <j>mnd G . =■. dg} 


{f e R : PIU < d e - da. =-.da] 


+ ■<■ + n.lA = .1,.: di„’. 


The table defines all parameters and sets for our scheme. The sets are defined via a 
norm bound, for which we also state the asymptotic growth with respect to the security 
parameter n. The last column states the main usage for the individual parameter or 
set. Some sets introduce a completeness error to the scheme that can be reduced by 
increasing <f> . Reducing this defect also significantly improves performance. All sets are 
subsets of the ring R = 'L q [X\/{X n + 1). 


inevitable completeness defect. In the course of the discussion we show that it 
neither harms security nor efficiency. Afterwards, we prove that the scheme is 
statistically blind and that it is one-more unforgeable unless the collision problem 
Col(H(R,m), D) is easy. In consequence, one-more unforgeability can be based 
on the worst-case hardness of the ISVP. After the main analysis, we prove that 
our scheme also supports leakage resilience. 

Observe that the scheme requires lots of parameters that need to be carefully 
worked out. Their definition in Table |5| will be justified later in the analysis. We 
chose not to “unwind” the parameters d s , d e , etc. because we need their relative 
size in the various lemmas below, making the proofs easier to understand. The 
asymptotics in the third column should help estimating their magnitude. The 
parameter d e is a constant 1 here but it can be increased if it is necessary to sign 
hash values of bit length > nlog 2 (3). The “usage” hint in the table points at the 
section, where they are most influential. As for selecting practical parameters, we 
refer the reader to the full version jHiicOSj . There, we propose secure parameter 
sets based on the analysis in JRM1 (')j . The full version also includes a discussion 
on possible trade-offs for efficiency. 


3.1 Our Construction 

We construct our blind signature scheme BS = (Kg, Sign, Vf) as follows. 
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Signer S( s) 


My) 


m 


* g g? y 
Trigger restart 


E 


0 


If result ok 

Parse result = (C, a, p, e) 

If (e* + a = e = H(Y - Sa - h0),C) 
and H(/i(z* — ft) — Se, C) = e 
and z* - /3 £ G”) 

Trigger restart 
Output V <— (y, Y, e*, z*) 


User U(S, M) 


'*-•{0,1}" 

C *— com(M;r) 
a<—$D a 

e «- H(Y - Sq - h0),C) 

If*! iD* ^ h 


result <- 


ofc 


Output (M,(r,z,e)) or ± when 


?ok 


Fig. 1. Issue protocol of the blind signature scheme BS. All parameters and sets are 
defined in Table El Note that the signer implicitly verifies that the user’s protocol 
messages come from the correct domains. 


Key Generation. BS.Kg(l n ) selects a secret key s<— $D™, and a compres- 
sion function /u— $H(R, m). Let C( 1") be a commitment scheme, mapping 
{0, 1}* x {0, 1}” — > {0, 1}". The algorithm chooses a function conn— $C(1”) 
and, in addition, selects H<— $H(l n ) mapping {0, 1}* — > D e c D. 

Then, it computes the public key S <— h( s) and outputs (s,S). For 
simphcity, we treat h, com, H, and the parameters in Table 0 as globally 
known and implicit inputs to all algorithms. However, each signer may choose 
them individually and include them in the public key. 

Signature Protocol. The signature issue protocol for messages M £ {0, 1}* 
is depicted in Figure 0 Eventually, the user outputs a message M and a 
signature (r, z,e). 

Notes: Upon a restart after Step 2, the user only selects a fresh a<—$D a 
and repeats the operations that involve a. Whenever the signer triggers a 
restart, the user chooses a fresh r in order to make the protocol execution 
independent of the previous ones. Therefore, we omit values from previous 
runs in the signer’s view. During Step 5, the signer can detect a cheating 
user that tries to trigger a restart, despite having received a valid signature. 
In this case, the signer can stop the protocol and assume that the user has 
obtained a valid signature. 

Verification. BS.Vf(S, (r, z, e), M) outputs 1 iff z g G m and H(/i(z) — Se, 
com(M; r)) = e. 
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3.2 Analysis and Security 

In this section, we analyze our blind signature scheme with regard to complete- 
ness, blindness, one-more unforgeability, and leakage resilience. For each aspect, 
we prove a main theorem. Supporting lemmas are stated before the theorems 
and proven in the full version |Biic08| . 

Completeness. Completeness of BS is a non-trivial issue due to the eventual 
restarts and the many parameters involved. The next lemma ensures that the 
number of restarts is small, effectively constant. 

Lemma 1. Let k = f2(n), a, b G Z fc with arbitrary a G {v G Z k : || v|| ^ < A } 
and random b<— ${v G : Hv)^ < B}. Given B > (pkA for 0 G N>o, we have 
Prob[ || a - < B - A] > ^ - o(l). 

Theorem 2 (Completeness). Let g(ri) = cu(log 2 (n)). The scheme BS is com- 
plete after at most g(n) (or, an expected number of e 2 ^) repetitions. 

See the full version |Ruc08| for the proof. There, we also argue that (j> = A is 
good choice to make the protocol more efficient in practice. Observe that in any 
case, all operations (including eventual restarts) in BS have 0(n) complexity 
and that private keys, public keys, and signatures have size O(n). 

Blindness. We prove that BS is statistically blind based on the observation that 
the signer only sees values that are independent of the message being signed. 
More precisely, the views generated by two different messages are indistinguish- 
able. For this argument to work, we require a statistically hiding commitment 
scheme and carefully selected sets D a , Dp, D f * , and G. The following proba- 
bilistic lemma is crucial as it guarantees that the user’s message after Step 2 
and the final output are independent of the message. In the context of Exp^L n g S , 
this establishes a form of witness indistinguishability w.r.t. the messages that 
are chosen by the malicious signer. 

Lemma 2. Let k G N, a, a',b G Z fc with arbitrary a, a' G {v G Z* : ll v |loo < 
A}, a random b<— ${v G Z fc : Hv)^ < B} for B > A. We define the random 
variables c <— a — b and c' <— a' — b i/max{||a — b|| ^ , ||a' — b^} < B — A, 
otherwise, we resample b. Then, A( c,c') = 0. 

The role of com is to ensure that the signer can only obtain negligible information 
from restarts. Notice that BS is perfectly blind ((oo, 0)-blind) if the commitment 
scheme is perfect (0-hiding). 

Theorem 3 (Blindness). BS is (oo,6com) -blind if com is 5com- hiding. 

Proof. As per experiment Exp^!. n g S , the adversarial signer outputs two messages 
Mo, Mi and interacts with two users U(S,Mb), U(S, after a secret coin 

flip b <— {0,1}. We show that these users do not leak any information about 
their respective message. 
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Technically, we establish that all protocol messages and the output, when 
interpreted as random variables, are distributed independently of the message 
being signed. This involves an analysis of e*, z, and eventual restarts. As for e 
and r we need not worry. They are chosen uniformly at random. 

Distribution of e*. Let e b ,e*_ b be the first protocol messages of U(pk,Mb) 
resp. W(pk, They are in D f . and they are both of the form e — a with 

eel) £ and a<— $D a . The statistical distance Z\(e b ,e^_ 6 ) is 0 by Lemma |2| 
(k = n, A = d s ,B = d a ) because the coefficients in D f . are bounded by 
B — A = d a — d s . 

Distribution of z. Let zo, zi be part of the final output of£Y(pk, Mo) resp. £Y(pk, 
Mi). Both are of the form z* — (3 for z* G G™ and /?<— $D™. Furthermore, zo 
and zi are forced to be in G rn , having coefficients bounded by dg — da, ■ Hence, 
the statistical distance A(zo,zi) is 0 because of Lemma 0 (fc = mn,A = 
dc,,B = dg). 

Restarts. Observe that each protocol run is statistically independent of the 
previous runs by the statistical hiding property of the commitment com and 
because the user selects fresh r, a, j3 after every restart. This is the reason why 
we inherit the statistical (5com-hiding property to obtain (oc, <5com)-blindness 
instead of perfect blindness. Finally, we need to argue about the restart 
after Step 4. The user sends (C,a,/3,e) to the signer. These information 
allow the verification of the signature with respect to C. The message is still 
statistically hidden by the hiding property of com because the user never 
reveals the decommitment r. 

Hence, the protocol hides the to-be-signed message and subsequent runs of the 
protocol for the same message are statistically independent. □ 

Furthermore, our scheme already supports selective failure blindness as shown in 
jFSOHj because we are signing commitments instead of the adversely chosen mes- 
sages. Even the fourth move does not reveal any information about the message 
due to the hiding property of the commitment. 

One-more Unforgeability. In this section, we show that BS is one-more un- 
forgeable, provided that the collision problem Col(H( R, m),D) is hard and the 
commitment scheme is binding. The main tool in the reduction is the Forking 
Lemma jPSOOl H TNOfil . To simulate the environment, especially blind signature 
queries, for the attacker A in the unforgeability experiment, we require that there 
are at least two possible secret keys for each public key S (Lemma OJ). Moreover, 
we need the signature protocol to be witness indistinguishable to prevent the 
attacker from learning the secret key (Lemma 0J) . The binding property of com 
is necessary to prevent an attacker from obtaining one signature that works for 
two messages by changing the message under the commitment. All other at- 
tackers output at least one signature that does not correspond to a completed 
interaction. Here, we apply the Forking Lemma to extract knowledge about the 
secret key that was used to compute the forgery. Using this knowledge the reduc- 
tion can solve the collision problem. Finally, we need to deal with Step 5 in the 
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protocol. The adversary proves that it was unable to obtain a valid signature. 
We show that this is sufficient if Col is hard. 

Since the function family W(R, to) compresses the domain D™, it is easy to 
show that all secret keys collide with at least one other secret key. 

Lemma 3. Let h £ 7f(R, m). For every secret key s<— $.0™, there is a second 
s' £ D™ \ {§} with h( s) = h( s') (with overwhelming probability). 

The next lemma establishes witness indistinguishability of the protocol. Wit- 
ness indistinguishability ensures that the malicious verifier cannot distinguish 
whether the prover uses one of two possible secret keys s, s' £ hr 1 (S) n D™. 
Basically, it can be interpreted as an application of Lemma |21 to z* = (se*) +y £ 
G™ with some further observations. The choice of y <—$D y and the restriction 
“£ G"‘” hide the first summand. 

Lemma 4. Let h £ 7Z(R, m) and S £ R. For any message M and any two secret 
keys s,s' £ D™ with h( s) = S = h( s'), the resulting protocol views (Y,e*,z*) 
and (Y / ,e* , ,z* / ) are indistinguishable. 

Using lemmas 01 and 0 we can exploit witness indistinguishability to simulate 
all blind signature oracle queries with a secret key s and at the same time ex- 
pect the adversary to output a forgery that corresponds to a different secret 
key s' with non-negligible probability or break the binding property of the com- 
mitment scheme. We apply the Forking Lemma to extract a solution to the 
Cal{H(R,m),D). 

Theorem 4 (One-more unforgeability). Let Sig be the signature oracle. Let 
Tsig and Th be the cost functions for simulating the oracles Sig and H, and let 
c <1 be the probability for a restart in the protocol. BS is ( t , gsign , <Zh , S)-one-more 
unforgeable if com is ( t ', 6/2)-binding and Col(H{ R, m),D) is ( t', 5' / 2) -hard with 
t' = t + Qh* ( qsignTsig + 9 hTh) and non-negligible 6' if 5 is non-negligible. 

The probability S' depends on the number of issued signatures. It can be found 
at the end of the proof. 

Proof. Towards contradiction, we assume that there exists a successful forger A 
against one-more unforgeability of BS with non-negligible probability 5. Using 
A, we construct an algorithm B, such that it either solves the collision problem 
or breaks the binding property of com. 

Setup. B flips a coin b<— ${0,1}. For b = 0, it selects /m— $W(R, to). For 6 = 1, 
it gets the description of h as input. B initializes a fist Lh 0 of query-hash 
pairs (Rx {0, 1}*, D e ). It chooses s<— $D™ and sets S <— h{ s). Furthermore, it 
randomly pre-selects random oracle answers hi, ... , h gH <— $D e and a random 
tape p. It runs -4(S; p) in a black-box simulation. 

Random Oracle Queries. On input (u, C), B looks up (u, C) in Z-h- If it finds 
corresponding hash value e then it returns e. Otherwise, B selects the first 
unused e from the list hi, . . . , h, /H , stores ((u, C), e) in Lh, and returns e. 
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Blind Signature Queries. B acts according to the protocol in Figured 
Output. Eventually, A stops and outputs (Mi, (ri,z 1; ei)), . . . , (M,, (r 3 . z 3 , e ; )), 
9sign + 1 = 3, for distinct messages. If b = 0, the reduction looks for two pairs 
(M*,(r*,z*,e*)) and (M| ^ M*, (r|, z*, e*)) and outputs (M*,r*), (M|,rrQ 
to break the binding property of com. If there is no such collision, B aborts. 
If b = 1, the simulator B guesses an index k<— $[j] such that h t = eu for some 
i G [<7h]- Then, B starts over, running A(S;p) with random oracle answers 
hi, ... , hj_i, h(, . . . , h' 9H for a fresh set h(, . . . , h 9H <— $D e . Both A and B are 
run with the same random tape as in the first run. Among other values, A 
outputs ( M k , and B returns (z k — sefc,z 7 fe — se*.) if e' fc = e k in an 

attempt to solve Col(H( R, m),D). If e 7 fc ^ e k , the reduction retries at most 
ql | times with a different random tape and random oracle. 

Analysis. A’s environment is perfectly simulated. Especially, restarts happen 
with the same probability as in the original protocol. For b = 0, B ( t 5/2)-breaks 
the binding property of com if A breaks the binding property of com to break 
one-more unforgeability. 

For b = 1, we assume that A breaks one-more unforgeability without attacking 
com. So, at least one of the output signatures is not obtained via an interaction. 
The probability that B guesses the index k of this signature correctly is at least 
1/ (c/sign + 1)- Observe that e*, is a random oracle answer but with probability 
l/|.D e |. Furthermore, notice that with probability 1/2, at least one of the re-runs 
of A yields the same map {(*, k) : h t = e*,} as in the first run of A. Thus, we 
consider the indices in both “interesting” replays to be constant. 

Applying the Forking Lemma, we know that with probability <5f r k > (l — c)(£— 
1 / 1 D £ | ) ( (5 — 1 / 1 -D € | ) /<jh — 1/ ] -D e | ) , A is again successful in the one-more unfor ge- 
ability experiment and outputs (Af/, (r' k . z/, e' k )) using the same random oracle 
query as in the first run. The additional (1 — c) factor takes a potential abort dur- 
ing the second rim into account, which happen with probability at most c. There- 
fore, we know that (h( z*, — Se*,), com(Mfc; r^)) = (h(z' k — Se' k ),com(M' k ;r' k )). 

Now, we turn to solving the collision problem. We have to show that z*, — se* ^ 
z’ k — se' k and h(z k — se k ) = h(z k — se' k ). The second requirement follows directly 
from the previous paragraph. The first is more involved. Here, it is important 
that the protocol is witness indistinguishable ( Lemma BJ), i.e., the adversary does 
not recognize whether we have used one of at least two possible s, s' (Lemma El 
with probability greater than 1/2. Thus, with probability at least 1/2 its output 
corresponds to s'. We show that either z k — se k ^ z’ k — se' k or z k — s'e k ^ z' k —s'e' k . 
Assuming both are equal, we subtract the equations and obtain (e k — e/)(s / — 
s) = 0 . We know that Ck — e' k / 0 . Now, ||(efc — e*,)(s' — s)^ < 2 d s n < q/2 
because || ej, — e'kW^ < 2 and p 7 — < 2 d s . Thus, (efc — e^)(s 7 — s) = 0 over 

Z[X ] / (X n + 1) , which is an integral domain. So, we have the contradiction s 7 = s 
and a collision (z k — sefc,z 7 fc — se' k ) £ D x D. The success probability is at least 
^coi > 1/4 £frk/ feign + 1), which is non-negligible if <5 is non-negligible. 

Concerning restarts, we argue that the user cannot obtain a valid signature 
out of an aborted interaction without solving the collision problem. In order to 
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trigger an abort after Step 4, it outputs result = (C, a, p, e) which, together 
with z*,y,e*, satisfies all abort criteria: 

e* + a = e = H ( Y — Sa — h0),C) (1) 

e = H(/i(z* — /3) — Se, C) (2) 

Z* -(3 <£G m (3) 

Assume that it also obtains a valid signature (r',z',d) from this interaction. If 
e = e', then h(z* — t 6* —se) = h( z'— se) by (0). If the arguments under h are equal, 
we have z* — $ £ G rn — a contradiction with 0. If the arguments are distinct, 
we have a collision in D because Hz' — seH^ < da < do and ||z* — fi* — se|| < 
d-G, + dp + nd s d e = do- 

The adversary may succeed by hiding d ^ e in e*. But then, we necessarily 
have e* = e — a = d — a' by (01 for an a/a' and we know that a = e — d + a'. 

So, the adversary had to be able to predict the output of H to compute a. 

To conclude, the probability that we can extract a collision from a cheating 
user during an abort is at least <5 a bort > <5(1 l/\D ( \), which is non-negligible 

if S is non-negligible. Thus, the overall success probability of the reduction is 
5' > min(5 co i , i5 a bort) if the guess 6=1 was correct. □ 

Hence, we require that qs, g = o(n) to be able to rely on the subexponential 
hardness of lattice problems. This constraint is an artifact of the proof tech- 
nique as discussed in [PSOOj and it is not at all unusual for efficient blind sig- 
nature schemes. There, it was even required that gsig < (loglyi)) 011 ) because 
they needed a polynomial-time reduction. In consequence, in our reduction, we 
greatly benefit from the subexponential hardness of the underlying lattice prob- 
lem. Alternatively, we believe that the running time of the reduction can be 
significantly reduced to being polynomial in qsi g by using techniques due to 
Pointcheval |Poi98j . 

By Theorem 0 we get the following strong worst-case security guarantees. 
Corollary 1. BS is one-more unforgeable if solving ISVP°° is hard in the worst 
case for approximation factors 7 > 16dDmnlog 2 (n) = 0(n 5 ) in lattices that 
correspond to ideals in R. 

Leakage Resilience. Using an additional restriction for one of the parameters, 
we can safely leak a (1 — o(l)) fraction of the secret key in the unforgeability 
experiment according to the definition in the full version |B.iic() 8 | . Recall that 
to = \_c rn log(r/) J + 1 for some c m = 0(1). Thus, it is possible to choose c m , 
say log(n), without loosing the scheme’s quasi-optimal efficiency. The following 
theorem states that such a choice is sufficient to provide strong leakage resilience. 
The proof can be found in the full version |Ruc() 8 i . 

Theorem 5 (Leakage Resilience). Let Cm = w(l) and let L := log(|U"'|) = 
mn log(2d s + 1) be the length of the secret key. The conditional min-entropy 
of s, conditioned on S = h( s) and a total secret-key leakage /( s) of A = 6L = 
(1 — o(l))L bits, is positive with overwhelming probability. 
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4 Conclusions 

We have shown how to construct an efficient and provably secure blind signature 
scheme based on the hardness of worst-case lattice problems. Our scheme has 
four moves, offers quasi-optimal performance, and it is leakage resilient in an 
almost optimal sense. Therefore, we expect our construction to withstand even 
subexponential-time and quantum computer attacks, as well as limited side- 
channel attacks against the secret key. 
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Abstract. We consider the round complexity of a basic cryptographic 
task: verifiable secret sharing (VSS). This well-studied primitive provides 
a good “test case” for our understanding of round complexity in general; 
moreover, VSS is important in its own right as a central building block 
for, e.g., Byzantine agreement and secure multi-party computation. 

The round complexity of perfect VSS was settled by Gennaro et al. 
(STOC 2001) and Fitzi et al. (TCC 2006). In a surprising result, Patra 
et al. (Crypto 2009) recently showed that if a negligible probability of 
error is allowed, the previous bounds no longer apply. We settle the 
key questions left open by their work, and in particular determine the 
exact round complexity of statistical VSS with optimal threshold. Let n 
denote the number of parties, at most t of whom are malicious. Their 
work showed that 2-round statistical VSS is impossible for t > n/ 3. We 
show that 3-round statistical VSS is possible iff t < n/2. We also give an 
efficient Around protocol for t < n/2. 


1 Introduction 

The round complexity of cryptographic protocols is a central measure of their 
efficiency, and has been the subject of intense study. In this work, we are inter- 
ested in understanding the round complexity of verifiable secret sharing (VSS) 
0. Here, there is a dealer who shares a secret among a group of n parties, at 
most t of whom (possibly including the dealer) may be malicious. The require- 
ments (roughly speaking) are that if the dealer is honest, then no information 
about the dealer’s secret is revealed to the t malicious parties by the end of the 
sharing phase', nevertheless, by the end of the sharing phase even a dishonest 
dealer is irrevocably committed to some value that will be recovered by the hon- 
est parties in the reconstruction phase. Furthermore, if the dealer is honest then 
this committed value must be identical to the dealer’s initial input. 

We focus on information-theoretic VSS, where the security requirements are 
required to hold even when the malicious parties have unbounded computational 

* Supported by the U.S. DoD/ARO MURI program and NSF award #0627306. 
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power. Here, two different possibilities can be considered: either the security re- 
quirements hold perfectly (i.e., always), or the security requirements hold sta- 
tistically but can possibly be violated with negligible probability. Assuming a 
broadcast channel, perfect VSS is possible if and only if t < n/3 |ll4j . while 
statistical VSS is possible up to threshold t < n/2 fTTj . 

The round complexity of perfect VSS has been extensively studied. For the 
case of optimal threshold (i.e., t < n/3), Gennaro et al. jS| showed that 3 roundfQ 
are necessary and sufficient for perfect VSS, and gave an efficient 4-round proto- 
col for the task. The 3-round VSS protocol by Gennaro et al. requires communi- 
cation exponential in the number of players, but Fitzi et al. j£| later demonstrated 
that an efficient 3-round protocol is possible. Katz et al. |Zj showed that perfect 
VSS could be achieved with optimal round complexity and, at the same time, 
optimal use of the broadcast channel. 

The 3-round lower bound of Gennaro et al. was generally believed to apply also 
to the case of statistical VSS. It was therefore relatively surprising when Patra 
et al. |B! showed recently that statistical VSS could be realized in two rounds 
for t < n/3. The protocol of Patra et al. does not apply when n/3 < t < n/2, 
and finding a minimal-round protocol for the optimal security threshold was left 
open by their work. On the other hand, the work of Patra et al. proves that 
2-round statistical VSS is impossible for t > n/3, which obviously applies to our 
setting as well. 

Our results and organization of the paper. In this work we resolve the 
round complexity of statistical VSS with optimal threshold t < n/2. We show 
that 3-round statistical VSS is possible for any t < n/2. We also give an efficient 
4-round protocol for t < n/2. 

2 Model and Definitions 

We consider the standard communication model where parties communicate in 
synchronous rounds using pairwise private and authenticated channels. We also 
assume a broadcast channel. (VSS is impossible for t > n/3 unless broadcast 
is assumed.) A broadcast channel allows any party to send the same message 
to all other parties — and all parties to be assured they have received identical 
messages — in a single round. 

When we say a protocol tolerates t malicious parties, we always mean that 
it is secure against an adversary who may adaptively corrupt up to t parties 
during an execution of the protocol and coordinate the actions of these parties 
as they deviate from the protocol in an arbitrary manner. Parties not corrupted 
by the adversary are called honest. We always assume a rushing adversary; i.e., 
in any round the malicious parties receive the messages (including the broadcast 
messages) sent by the honest parties before deciding on their own messages. 


1 Following the accepted convention, the round complexity of VSS refers to that of 
the sharing phase. 
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In our protocol descriptions we assume without loss of generality that parties 
send properly formatted messages, as we may interpret an improper or missing 
message as some default message. 

We let F denote a finite field and set k = log |F|. We require the dealer’s 
secret to lie in F. In the case of statistical VSS, we allow error with probability 
at most e = and so k can be treated as a security parameter. Note that 

the dealer’s secret can be padded to lie in a larger field, if desired, to reduce the 
probability of error. 

Definition 1. A two-phase protocol for parties V = {Pi, . . . , P n }, where a dis- 
tinguished dealer D £ V holds initial input s £ F, is a (1 — e) -statistical VSS 
protocol tolerating t malicious parties if the following conditions hold for any 
adversary controlling at most t parties: 

Privacy: If the dealer is honest at the end of the first phase (the sharing phase/, 
then at the end of this phase the joint view of the malicious parties is inde- 
pendent of the dealer’s input s. 

Correctness/Commitment: Each honest party Pi outputs a value Si at the 
end of the second phase (the reconstruction phase/ Except with probability 
at most e, the following hold: 

1. At the end of the sharing phase, the joint view of the honest parties 
defines a value s' such that Si = s' for every honest Pi. 

2. If the dealer is honest throughout the execution, then s' = s. (} 

Remark: Our definition of statistical VSS relaxes the correctness/commitment 
requirement, but not the secrecy requirement. This is the definition that has been 
considered previously in the literature, and is the definition that our protocols 
achieve. 

3 A Multiple- Verifier Information Checking Protocol 

Our protocols rely on what is known as an information checking (sub)protocol 
(ICP), a notion first introduced by Rabin and Ben-Or EH The traditional def- 
inition of an ICP EE! involves the dealer D , an intermediary I NT, and a 
verifier V. In an initial phase, the dealer gives a secret value s £ F to INT and 
some verification information (that reveals nothing about s ) to V. Later, INT 
gives s to V along with a “proof” that s is indeed the value that INT received 
initially from D. 

The basic definition of ICP involves only a single verifier; Patra et al. fl ("Ml . 
extend this definition to allow every party in the network to act as a verifier. 
Defining ICP in this way (i.e., enabling multiple verifiers) will be helpful when 
we use it as a black box in our VSS protocols. Formally, an information checking 
protocol (ICP) consists of three stages Distr, AuthVal, and RevealVal: 

- Distr(D, INT, s) is initiated by D, using as input some value s. The algo- 
rithm generates some authentication information (which includes s itself) 
that is given to INT, as well as some verification information that is given 
to each of the verifiers. 
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— AuthVal(.D, INT, s) is initiated by INT after receiving the authentication 
information from D. The information held by INT after this stage is called 
.D’s IC-signature and is denoted by ICSIG(D. INT, s). 

— RevealVal(Z), INT, s ) is a sub-protocol in which all messages are broadcast. 
Based on the broadcast messages, either ICSIG(D,INT,s ) is accepted or 
rejected by all honest verifiers (with high probability). 

We require ICP to satisfy the following properties: 

1. Correctness 1 : If D and INT are honest, then every honest verifier accepts 
ICSIG(D, INT, s) during RevealVal. 

2. Correctness 2 : If INT is honest then at the end of AuthVal, INT possesses 
an ICSIG(D,INT,s), which will be accepted in RevealVal by each honest 
verifier, except with probability 2~ n ^ K \ 

3. Correctness 3 : If D is honest then during RevealVal, with probability at 
least 1 — 2~°( k \ ICSIG(D,INT,s) revealed as some s' ^ s by a corrupted 
INT will be rejected by each honest verifier. 

4. Secrecy: If D and INT are honest, then till the end of AuthVal, the adver- 
sary has no information about s. 

3.1 An ICP Protocol 

Here we reproduce a simplified version of the ICP protocol (from Patra et al., 
HQEJ) tolerating t < n/2 malicious parties, such that Distr requires one round 
and AuthVal and RevealVal require two rounds each. We omit the proofs due to 
space limitations. 

Distr(£>, INT, s ) : 

Round 1: 

1. D sends the following to INT: 

(a) A random degree-t polynomial F(x) over F, with F(0) = s. Let INT 
receive F'(x) as the polynomial with F'(Q) = .s' . 0 

(b) A random degree-t polynomial R(x) over F. Let INT receive R(x) as a 
t-degree polynomial R'(x). 

2. D privately sends the following to each verifier Pi : 

(a) (di,Vi, Vi), where a* G 1F\ {0} is random (all cq’s are distinct), = F(ai) 
and 7*i = R(ati). 

AuthVal {D,INT, s): 

Round 1: INT chooses a random d £ F \ {0} and broadcasts ( d,B[x) ) where 
B(x) = dF'(x) + R'(x). 

Round 2: D checks dt’i+r,; = B(ai) for i = 1, . . . , n. If D finds any inconsistency, 
he broadcasts s D = s. 

The polynomial F'(x) (when D does not broadcast s D in round 2 of AuthVal) 
or s D (broadcast by D in round 2 of AuthVal) as held by INT is denoted by 
ICSIG(D, INT, s). 


If INT is honest, then F\x) = F(x). 
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RevealVal (D,INT, s ): 

Round 1: INT broadcasts ICSIG(D,INT,s) (i.e., he reveals D’s secret con- 
tained in ICSIG(D,INT, s ) as s' = s D or as s' = F'(O)). 

Round 2: Verifier P,_ broadcasts Accept if one of the following conditions holds. 
(Otherwise, Pi broadcasts Reject.) 

1. ICSIG(D, INT, s) = s', and s' = s D . 

2. ICSIg[d , INT, s) = F'(x), and one of the following holds. 

1. Cl: Vi = F r (a i ); OR 

2. C2: B{oti) ^ dvi + (B( x) was broadcasted by INT during AuthVal). 
Local Computation (By Every Verifier): If at least t + 1 verifiers have 
broadcasted Accept during round 2 of RevealVal then accept ICSIG(D, INT, s ) 
and output s' or F'(Q) (depending on whether ICSIG(D, INT, s) is s' or F'(x)). 
Else reject ICSIG(D,INT,s). 

In our protocols, we use AuthVaK 1 ), AuthVaK 2 -* to denote the first round and 
second round of AuthVal respectively. Similarly RevealVal^ 1 ), RevealVal^ 2 ) are 
used for RevealVal. By ICP s h(V, Y, s), we mean an execution Distr(V, Y, s) fol- 
lowed by AuthVal(V, Y, s). In order to make the presentation clearer, we some- 
times use ICP rec (^f, Y, s) in place of RevealVal (A, Y, s). Also, in an execution 
ICP S h(X, Y, s), we say that X conflicts with Y, if X had to broadcast correc- 
tional information in AuthVaK 2 )(A, Y, s). Lastly we say that "(F(x), d, B(x)) is 
consistent with (a, v, r)” if at least one of the following holds: 

1. F(a) = v. 

2. B(a) ^ dv + r . 

4 3-Round Statistical VSS with Optimal Resilience 

In this section, we present a 3-round statistical VSS protocol with optimal re- 
silience. Although the complexity of the protocol is exponential in terms of the 
number of parties, the protocol proves optimality of the lower bound from jSj. 
We also show an efficient 4-round statistical VSS protocol in Section 0 

In our 3-round VSS protocol, the dealer additively shares the secret s into 
( n “ 1 ) shares. Loosely speaking, each of the ("jj 1 ) shares correspond to a t-sized 
subset in V — {D}. Then the dealer runs a “VSS-like” subprotocol to share s rn 
amongst the players in the t-sized subset S m C V — \D}. In the reconstruction 
phase, the shares corresponding to each subset are reconstructed first. These 
shares, in turn, are used to reconstruct the original secret s. 

We begin by describing a subroutine that we call [/-VSS. 

4.1 [7- VSS 

The goal of the [/-VSS sub-routine, is to achieve VSS-like functionality for a 
subset U (with \U\ = t) of the player set V. In particular, we want correctness 
and commitment property to hold as in the definition of VSS. However, the 
privacy requirement needs to met only when all players in U U {D} are honest. 
Informally, the 3 rounds of the [/-VSS protocol can be described as follows: 
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- In Round 1 , D sends the secret s to all players in U. Players in U exchange 
random pads with each other. 

- In Round 2 , each player in U authenticates his share (via AuthVal). In addi- 
tion he also broadcasts the secret masked with random pads received from 
other players in U. Players in U also authenticate random pads received from 
each other. 

- In Round 3 , D resolves conflicting broadcasts (if necessary, by broadcasting 
s to all players). Players finish authenticating their shares with D and their 
random pads with one another. 

Unfortunately the P-VSS protocol described above does not guarantee commit- 
ment as such because players in U might (pretend to) have conflicts over random 
pads, thereby having an option to reveal different random pads in the reconstruc- 
tion phase. To see this, consider the case when n = 5 and t = 2 . Without loss of 
generality, let U = { P-2 , P3 } . In round 3 , P> might (or pretend to) be unhappy 
(i.e., the AuthVaK 2 ) check fails) with P^s authentication of random pad r23 (sent 
by P2 to P3). This would result in P2 broadcasting F ( - 2 ' 1 (x) and r23- Similarly P3 
might (or pretend to) be unhappy with P2 over 7-32. Note that other players have 
no information about r23 and r32- In this case, players in V — (U U {D}) cannot 
distinguish (by the end of the sharing phase) between the following 3 cases: 

1. ( D and P2 are dishonest.) P2 broadcasted incorrect authentication infor- 
mation for r32 (thereby making P3 unhappy over ^2) and pretends to be 
unhappy over Ps’s broadcast related to r-^i- 

2 . ( D and P3 are dishonest.) P3 broadcasted incorrect authentication infor- 
mation for r23 (thereby making P2 unhappy over ^3) and pretends to be 
unhappy over P2’s broadcast related to r 32. 

3 . (P2 and P3 are dishonest.) Both pretend to be unhappy over each other’s 
broadcast related to random pads r23 and r'32 . 

Note that in Case ( 0 , an honest D cannot detect any foul play by end of the 
2 nd round. 0 If we are in Cases © or 0, then we have dishonest majority in 
U U {£>}. Thus a dishonest D could take sides with either P2’s reveal or with 
Ps’s reveal in the reconstruction phase. Depending on which player he supports, 
different secrets could be reconstructed. Note that the players in V — (U U {D}) 
may not be able to tell whether P2 or P3 is honest and whose version of the 
secret they need to output. 

However, in executions where there are no unresolved mutual conflicts, P-VSS 
does achieve the desired VSS properties. Looking back at the n = 5 ,t = 2 case, 
we motivate our definition of mutual conflict in the general case: 

Definition 2 . A mutual conflict is said to exist in an execution of U-VSS if 
1 . Some Pi broadcasted r,j, PW (x) for some Pj; and 

3 If we allowed one more round, then Case Q can be resolved in the following way. 
When any player broadcasts a “correction” value on a random pad, D will broadcast 
the secret s in the fourth round. With this modification, commitment can be achieved 
easily. 
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2. Pj also broadcasted rji,F^\x); and 

3. D did not broadcast s in round 3 of the sharing phase. 

To begin with, we want our U-V SS protocol to satisfy the following weak prop- 
erty: If there is no mutual conflict in an execution of U-V SS, then: 

— If all players in U U {D} are honest, then no information about s is revealed 
to players in V — (U U {D}) at the end of the sharing phase. 

— If D is honest, then D is not discarded in the sharing phase. Also, if there 
is no mutual conflict then the value shared by D is reconstructed with high 
probability. 

— There exists a value s', such that D is committed to s' at the end of the 
sharing phase. This s' is reconstructed in the reconstruction phase. 


4.2 A Protocol for C7-VSS 

We present a protocol for U-V SS protocol which satisfies the above requirements. 
Inputs: Let V = {Pi, . . . , P n } denote the set of players and let D = Pi be the 
dealer with input s. Let U C V be the target subset with \U\ = t. 

Sharing Phase: 

Round 1: 

1. Execute ICP s h (D,Pi,s). for every party Pj in the subset U. Let Pj receive 
s from D as s^ l \ Denote the polynomials used in Distr(D, P, . s) by F^flx), 
R® (x) (both are random f-degree polynomials with F®(0) = 

2. For each pair (Pj, Pj) from subset U, party Pi picks a random value rjj and 
executes ICP s h(Pj,Pj,rjj) for every Pj & U U {£)}. Let Pj receive r»j from 
Pi as r'j. 

Round 2: Each Pi & U U {D\ broadcasts Ojj := .S'- 1 ) + r*j and fy, := + r '. 

for every Pj £U U {D}. 

Round 3: 

1. If for some Pi, Pj £ U U {£)}, ajj flz b-, or aji flz fyj , then D broadcasts s. 

2. If Pi conflicts with Pj, then he broadcasts rij,F^(x). 

Local Computation: D is discarded if for some Pj,Pj £ U U {D}, a l; j ^ b r i 
or aji flz bij, and D did not broadcast s. 

Reconstruction Phase: If D broadcasted s in round 3 of the sharing phase, 
then each player Pj sets a(') : = s and outputs s and terminates. 

If there is a mutual conflict then each player (in V) outputs T and the recon- 
struction phase terminates. Else, 

1. Each Pi £ U executes ICP rec (P, Pj, s) and each Pj £ U U {D} executes 
\CP rec {Pi,Pj,nj). 

2. D broadcasts the secret s. 

Local Computation: Construct GOOD in the following way: For Pj £ U, 
include Pj in GOOD if 
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1. Pj is successful in revealing s®. 

2. For each P 3 that did not conflict with Pi, Pi is successful in revealing rC . 

3. For every rC revealed by Pj in the previous step, a 3% = + r' ?: holds. 

4. If r' i: j was successfully revealed by any Pj, a,ij = sw + rC holds. 

Compute s' as follows: 

1. If GOOD is empty, then s' := s, where s is P’s broadcast in Step |3 

2. Else pick any Pj e GOOD and assign s' := sW. 

Output s'. 

4.3 Proofs 

We show that the P-VSS protocol presented above satisfies the necessary re- 
quirements through a series of claims. 

The following claim is proved by means of a standard argument. We omit the 
proof due to space limitations. 

Claim 1. If all players in U U {D} are honest, then no information about s is 
revealed to players in V — (U U {£>}) at the end of the sharing phase. 

It is easy to see that an honest D is never discarded in the sharing phase. 

Claim 2. If there is no mutual conflict then the value shared by honest D, say 
s, is reconstructed with high probability. 

Proof. Since only the values held by P L e GOOD are reconstructed, we need to 
argue that a dishonest Pj is contained in GOOD only if he reveals = s. This is 
easily shown since when D is honest, by Correctness 3, every successful reveal 
is equal to s. 

Claim 3. If D is not discarded, then for all honest Pj, sW = s' for some s'. 

Proof. Assume that honest players Pi,Pj G U received shares s^,gW, with 
sM zfz s*J). Then in round 2, <Zjj is not equal to bji . Therefore, D has to broadcast 
s, otherwise he is discarded. Consequently every P 3 sets := s' (see Local 
Computation). 

The following claim can be easily verified. 

Claim 4- If D is not discarded, and does not broadcast s in the sharing phase, 
then with high probability, all honest players in U are contained in GOOD. 

Claim 5. If there is no mutual conflict, then there exists a value s' such that D 
is committed to s' at the end of the sharing phase. This s' is reconstructed in 
the reconstruction phase. 

Proof. When D is honest, the claim follows from Claim 0 Assume D is dishonest. 
If D is discarded in the sharing phase, then the claim trivially holds. In the 
following, we assume that D is not discarded. Since D is dishonest and U U {D} 
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contains (i + 1) players, there exists an honest Pj € U. From Claim E3 we have 
that all honest players received the same share s' = s^’) (P ? ’s share) from D. 
We now show that if there is no mutual conflict, then s' is reconstructed. 

The idea is to show that any Pj £ U is contained in GOOD only if he reveals s W 
as s'. This would prove the claim, since all honest players are already contained 
in GOOD (follows from Claim 0. 

For the sake of reaching a contradiction, assume that Pj £ U successfully 
reveals sW ^ s '. We consider two cases: 

Case 1: Pj did not conflict with Pj. 

By Correctness 3, with high probability, Pi can successfully reveal r' ?; only as 
rji. Since Pj used r,j to compute a,ji , it holds that a,j ^ -f rC for ^ s '. 
Hence in this case, Pj will not be included in GOOD. 

Case 2: Pi did not conflict with Pj. 

By Correctness 2, with very high probability, it holds that Pj successfully 
revealed rC that he received. Since D is not discarded, a tJ = bji = s' + fC. 
Observe that the condition “«j| = + r' tj " will not be satisfied for sW ^ s \ 

Hence in this case, Pj will not be included in GOOD. 

The cases discussed above are sufficient since there are no mutually conflicting 
parties in U, i.e., we do not have to consider the case when both Pi and Pj 
broadcast the random pads which they had used. 


4.4 Building Statistical VSS for t < n/2 from [/-VSS 

In the previous section we saw how [/-VSS gives us the desired VSS properties 
when there is no mutual conflict. In this section, we’ll develop techniques to 
cope up with executions in which there is mutual conflict. Let’s first look at the 
n = 5, t = 2 case. There’s a small trick that we can use to achieve commitment: 
First observe that a mutual conflict arises when at least 2 parties in U U {D\ 
are corrupted. Since U = {P 2 , P 3 } and t = 2, all players in V — (U U {D}") are 
honest. (For higher n, this is not the case, and hence the difficulty is amplified.) 
Since conflicting P> , P 3 would have revealed their polynomials F^(x) 

(with p( 2 )(0) 7 ^ P( 3 )( 0)) respectively, the reveals for the set U is fixed. Since 
P 4 and P 5 are honest, the “check points” are also fixed! The key observation is 
that for an honest D (Case Q), dishonest P 2 , P 3 will not be able to guess the 
honest “check points” correctly. If D is honest then at least one of the revealed 
polynomials is not consistent with any of the honest “check points” except with 
negligible probability. So one of P 2 ,P 3 ’s reveal will not be Accepted. 

For general t, n, when we encounter a mutual conflict in an [/-VSS execution, 
all players in V — (U U {D}) are not necessarily honest. So instead of assigning 
a “check point” to each player, we assign a “check point” to each t-sized subset 
via an [/-VSS protocol. In addition, to avoid the problems caused by mutual 
conflicts, only those [/-VSS executions in which is no mutual conflict are used to 
generate the verification points in the reconstruction phase. The reason behind 
using [/-VSS to share the “check points” is that now checking for Consistency is 
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made public (i.e., dishonest players can no longer arbitrarily broadcast Accept or 
Reject to force a favorable outcome). E/-V SS executions with no mutual conflict, 
guarantee agreement over the revealed check points. This results in an agreement 
over which of the revealed polynomials are actually consistent. There might be 
two conflicting polynomials both of which satisfy all the check points. However at 
the end of the sharing phase, the outcome of the check for Consistency is fixed! If 
two conflicting polynomials do pass the Consistency test, then T is reconstructed. 
Note that this does not violate the commitment property of VSS since whether 
T is reconstructed is fixed at the end of the sharing phase. (We assume that T 
represents a default element in F). Also, dishonest players could possibly reveal 
incorrect polynomials in the reconstruction phase. We prove that our statistical 
VSS protocol is robust against such adversarial behavior. 


4.5 A 3-Round Protocol for VSS 

Inputs: Let V = {Pi, ■ ■ . , P n } denote the set of players and let D = Pi be the 
dealer with input s. Let T = f 2 4 — 1. 

Sharing Phase: D additively shares s into Si,...,Sk where Si,...,Sk are 
random subject to s = si + S 2 + • • • + sk- The following [/-VSS executions are 
run in parallel. 

1. Iterate over all /-sized subsets S m : Execute U-VSS(D,S m ,s m ). 

2. For each player subset S k of size t, D picks “check points” = 

Pm{ot k l ’ l ' > ), r k n ’ l ' > = Rm,*(o4 m ’^)) an d sends it to Sk (to check for the polyno- 
mials revealed by each Pi e S m ). Execute U-VSS(D, Sk, (aj|. m ’*\ r k n ’ l ' > )) 

for all P t e S rn , and for every /-sized subset S m . 

Local Computation: D is discarded if at least one of the following hold: 

1. D is discarded in some execution of U-VSS(D, Sk, (ajj. m ’*\ 

2. D is discarded in some execution of U-VSS(D, S rn , s rn ). 

Reconstruction Phase: Let B = f {S m \ D broadcasted s rn }. Let 

Am,i = f {Sk | There are no mutual conflicts in an execution of 
U-VSS(D, Sk, 

Reconstruction phase consists of the following 2 rounds: 

Round 1: Iterate over all S m , and every Pi € S m : Execute reconstruction 
phase of U-VSS(D,S m ,s m ), and U-VSS{D, S k , (ajf^, i3 }) (for each 

Sk € -4m, i) • 

Round 2: Reveals started in round 1 are completed in this round. Also D 
broadcasts s m for each S m . 

Local Computation: Let 

= f { Fm ( x ) I Pi € S m broadcasted F$(x) and mutually conflicted 
with some Pj £ S rn in the sharing phase} 
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All players reconstruct _L if for any S rn : 

1. There is a player Pi G S m with F$(%) G C m and (F$$ (x),dm (®)) 

consistent with (ajj.” 1 ’^, v^' l \ for all Sk G A m ,i\ AND 

2. There is a player P 0 Pi) G S m with F^\x) G C m , F$( 0) ± F^\ 0) 

and (F^,\x), dm ,bI^\x)) consistent with for all G 

A mj j . 

If T is not reconstructed, then for each S m £ B construct GOOD m in the following 
way: Include P t G S rn in GOOD m if 

1. Pi is contained in GOOD corresponding to the execution P-VSS(P, S rn , s rn ). 

2. (F$ (x ) , dm j -Bto (a:)) is consistent with {o^™' l \v^™’ l \r^ n ’^) for all Sk G 
A m ,i (where F$(x), d!$,B$(x) are internal variables in ICP s h(P, Pi, s m ) 
corresponding to U-VSS(D, S m , s m ) with P { G S m ). Let s# = f#(0). 

Compute s' m (which is P’s commitment to S m ) as follows: 

1. For S m G B. set s' m to be the one broadcasted by D during round 3 of the 
sharing phase. 

2. For S rn 0 B, pick any Pi G GOOD m and set s' rn = • If GOOD m is empty, 

then s' m = s m , where s rn is P’s broadcast in round 2 of reconstruction phase. 

Reconstruct P’s secret as s' = s 'm- 

4.6 Proof of Correctness for 3-Round-VSS 

We now prove that 3-Round-VSS satisfies all the properties required of a statis- 
tical VSS protocol. Let T = f 2 t — 1. 

The following lemma is proved by means of a standard argument. We omit 
the proof due to space limitations. 

Lemma 1. (Secrecy) Protocol 3-round-VSS satisfies perfect secrecy. 

Lemma 2. (Correctness) Protocol 3-Round-VSS satisfies (1 — e)- correctness 
property. 

Proof. It is easy to see that an honest P is never discarded in the sharing phase. 
We now show that with high probability, T is not reconstructed whenever P is 
honest. 

The only possibility of T getting reconstructed is when there exist two mutually 
conflicting players Pi,Pj G S m (with S m $ B) such that (F}h\x),d$ , Bm (x)), 
(Fm\x),dm ,Bm W) are consistent with 

r^) (respectively) for all Sk G A m ,i and Si G A m j. Since P is honest, at least 
one of Pi, Pj has to be dishonest (otherwise they wouldn’t conflict on random pads 
and broadcast their polynomials). 

The key point is that there is at least one set, say Sfl ^ S rn ) which contains 
only honest players. Since all the players are honest, there is no mutually con- 
flicting pair in Si . As a result, Si G A rrl)l fl A rn , r By Claim U] no information 
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is revealed about (aj m,:> \vj m ’ :, \rj m ’^). Also the correct 

values (aj m,t \ r[ m ’^), as shared by D, are revealed 

in the reconstruction phase of the corresponding U-VSS protocols (follows from 
Claim 0) . So if a dishonest player, say Pi is able to discard an honest D by 
revealing Fm(x) ^ F rn (x), then he must have guessed a\ rn '^ (follows from the 
proof of Correctness 3). This happens with negligible probability. 

Given that T is not reconstructed, a dishonest Pi revealing Fm ( x ) ^ F rn (a;) 
can be in GOOD m only if he guessed a,™ ' 1 ' 1 where Si is the set of honest players (as 
described above). Again, this happens with negligible probability. Correctness 
follows immediately. 

Claim 6. If a corrupted D is not discarded, then for every S m , at least one 
honest player is contained in GOOD m with very high probability. 

Proof. First, let us fix an S rn . By Claim 0 (commitment property for C/-VSS), 
we have that for every tuple £ C m , the exact tuple was 

held by (all) the honest player (s) in Sk- This essentially makes every verification 
“check point” behave as if it were possessed by an honest player. Now, from the 
proof of Correctness 2 for ICPu ■ each honest player in S rn is consistent with 
“check points” in C m with high probability (1 — jfpj). 

Suppose there are k honest players in S rn . By the above argument, the claim 
can fail for a given S rn , only if it fails for each honest player in S rn . This hap- 
pens with probability at most @. Since there are (*^ 1 ) (*!*,) such S m , 

the probability that the claim fails for any one such S m is bounded by j|pr. 
Summing over all k, we see that D can cause the claim to fail for any one S m 
with probability at most ^j- = 2~ 0 ( K \ Hence the claim holds. 

Lemma 3. ( Commitment) Protocol 3-Round-VSS satisfies (1— e )- commitment 
property. 

Proof. For an honest D, the lemma follows from Lemma 0 In the following, 
we assume that D is dishonest. First we show that whether or not, T is recon- 
structed, is fixed at the end of the sharing phase. Note that the polynomials in 
C m are taken from the sharing phase. Also, the “check points” for these polyno- 
mials are fixed at the end of the sharing phase (by the commitment property of 
C/-VSS proved in Claim 01 . Therefore, the decision of whether T is reconstructed, 
is fixed at the end of the sharing phase. Since ±6 F (by our assumption), we 
achieve commitment even when T is reconstructed. 

4 The proof is identical since in both cases we are dealing with a dishonest D 
and an honest intermediary. In both cases, the dealer wasn’t unhappy with 
AuthVab^TbPijS), where s is the dealer’s secret. 

5 We have used the fact that a corrupt D’s ability to cause failure for a particular 
honest player is independent of his ability to cause failure for a different honest 
player. This is true because D can cause failure for an honest Pi €. S m , only by 
guessing dm (follows from the proof of Correctness 2). A different honest player 
Pj € S m , chooses dm independent of dm - Hence our argument is justified. 
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We prove commitment in the case when _L is not reconstructed. By Claim 0 
we now need to prove that for each S m 0 B, the share held by honest player (s), 
say s' m = Sm for some honest Pj, will be reconstructed with high probability 
(Recall that, by Claim 0 all honest players in U = ,S' m (0 B) have the same 
share). 

Let us assume (for the sake of reaching a contradiction) that some dishonest 
Pi G S m successfully reveals some s„ ^ Sm - Let a "- , 6™ , r"' be the internal 
variables used in L'-VSS(D, S rn , s m ) with Pi , Pj e S m . We consider two cases: 

Case 1: Pj did not broadcast r™ in round 3 of the sharing phase. 

By Correctness 3, with very high probability, Pj can successfully reveal rj-' 
only as r") . Since Pj computed a™ := s™ + rj? , it holds (with high probability) 
that Ojl Sm + r™' for i=- Sm • Hence in this case, Pi will not be included 
in GOOD m . 

Case 2: Pi did not broadcast r™ in round 3 of the sharing phase. 

By Correctness 2, with very high probability, it holds that Pj revealed r™' as 
the random pad that he used in computing bj- := Sm + r" l/ . Since S m & B, 
and since D is not discarded, we have a™ = 6"). Therefore, the condition “a™ = 
Sm + will not be satisfied for any ^ s®. Hence in this case, Pj will not 
be included in GOOD m . 

We do not have to consider the case when both Pj , Pj broadcasted the random 
pads which they had used (in round 3). This is because if some Pj revealed 
Fm\x) (with Fm( 0) i=- s' rn ) consistent with the all the revealed “check points”, 
then T will be reconstructed. Hence an honest Pj’s share (i.e., sin = s' m ) is 
reconstructed always. Given this, commitment follows immediately. 

The theorem follows from Lemmas d d and 01 

Theorem 1. There exists a 3-round statistical VSS protocol tolerating t < n / 2 
malicious parties. 

5 Efficient 4-Round Statistical VSS with Optimal 
Resilience 

We now design a 4-round sharing, 2-round reconstruction (2t + l,t) statistical 
VSS with polynomial communication complexity. In the protocol, D selects a 
random symmetric bivariate polynomial F(x, y) such that F(0, 0) = s and sends 
fi(x) to Pj. At the end of the sharing phase, if D is not discarded then every 
honest Pj holds a degree t polynomial /) (x) such that for every pair of honest 
parties (Pj, Pj), f t (j ) = fj(i). This implies that if D is not discarded, then the 
fi ( x ) polynomials of the honest parties define a symmetric bivariate polynomial 
F H (x. y). Moreover in the protocol, it is ensured by using the properties of ICSig 
that no corrupted Pj will be able to disclose f[ (x) ^ fi(x) in the reconstruction 
phase. Hence irrespective of whether D is honest or corrupted, reconstruction of 
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s = F H ( 0,0) is enforced. To achieve all the properties of VSS, D gives ICSig 
to individual parties, and concurrently every individual party gives ICSig to 
every other party. The protocol is somewhat inspired by the VSS protocol of 0 . 
As the ICP proposed in (TTj takes one round in Distr, 3 rounds in AuthVal and 2 
rounds in RevealVal, the VSS of j3| takes at most eleven rounds in the sharing 
phase. 


5.1 The Protocol 

Inputs: The dealer has a secret s. Let D be the dealer and let F(x,y) be a 
symmetric bivariate polynomial of degree t in each variable. Let P(Q, 0) = s. 

Sharing Phase 

Round 1: Let /, (x) be defined as F(i. x). Let r,j £r F for each Pi,Pj. Execute 
ICP S h (D, Pi, ICPshOPi, Pj, ry) and ICP S h (Pi,D,rij). Let the corresponding 

values received be /' (j ) , rL and r P . 

Round 2: 

1. Pi broadcasts ay = f[{j) + fij and bij = f[(j) + rC. 

2. D broadcasts aP = fi(j) + rP and b P = fi(j) + rP. 

3. If Pi received f({x) which is not a polynomial of degree t, then P, executes 
ICP rec (D, P,,/'(j) for all j. 

Round 3: 

1. If D conflicts with P, ; or a,ij ^ afj or a,; y - =J . then D broadcasts f®{x) = 
fi(x ) and executes \CP rec (P, . D. rjl) and ICP rec (Pfc : D, rf? t ) for all k. 

2. If Pi conflicts with Pj or a x] ^ bji or aji ^ bij or ay ^ aP or bij ^ bP, then 
Pi executes ICP rec (P, Pi, f'(j )) and ICP rec (Py Pi, rJJ. 

3. If Pi conflicts with D, then he executes ICP rec (P ; P, fl(k)), for all k. 

Round 4: Corresponding ICP rec executions are completed in this round. 

Local Computation: D is discarded if for some Pi,Pj, at least one of the 
following does not hold: 

1. {fi(k)}k lie on a t-degree polynomial. 

2. fm = ffa) = m = m- 

3 - a i] = b fi= /fc») + r ij- 

4. All ICP rec (-D, Pi, rP) reveals were successful (i.e., at least t + 1 accepts were 
broadcasted). 

Reconstruction Phase: Every Pj executes (if they haven’t already) ICP rec (D, 
Pi,fi(j)), ICPrec (Pj,Pi,rji) for all P r 

Local Computation: Let Pi £ U if D broadcasted f[ J (x). Construct Rec in 
the following way: 

1. Pj e Rec if Pj e U. In this case, define /j(a:) = fP(x). 

2. Pj e Rec if he successfully executed ICP rec (P, Pj, /) (j ) ) for all j, and they lie 
on a t-degree polynomial. 

Delete Pj ^ U from Rec if 
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1. Pi successfully revealed f-(j ) and /' (j ) ^ for some P, G U. 

2. Pj successfully revealed rC and f-(j) + r C ^ dij. 

3. If for some P 3 , Pj did not conflict with Pj and bij — rC ^ /j(j). 
Reconstruct a symmetric bivariate polynomial F'(x,y) of degree t from 
{/j(x)}p ieRec - Output s' = F'(0,0). 


5.2 Proofs 

Note that in our 4-Round-VSS protocol, ICP properties Correctness 1, Cor- 
rectness 2, Correctness 3 hold for concurrent executions of ICP(Pj, Pj, r^j) 
and ICP(Pj, D, r^). Also when D is honest, Secrecy holds for concurrent exe- 
cutions of ICP (Pj, Pj,nj) and ICP(Pj, D, n 3 ). 

The following lemma is proved by means of a standard argument. 

Lemma 4. (Secrecy) Protocol 4-round-VSS satisfies perfect secrecy. 

Claim 7. If D is not discarded and Pi is honest, then for every Pj G U, /'(j) = 

Proof. If Pj G U, then /' (x) = fflix), and since D is not discarded, the claim 
holds. Now let Pi £ U. Recall that Pj G U because D conflicted with Pj (over 
some value fj(k)) OR because ajk ^ af k OR ajk =T- As a result D reveals 
r t j (Round 3 Step |TJ) . Recall that Pj ^ U. Therefore, w.h.p, his reveals are 
successful. Now there are two cases to consider. First, if Pj conflicts with D , then 
he reveals /' (k) as well (Round 3 Step EJl . If f[ (j) ^ ff(i), then D is discarded 
(see Local Computation). On the other hand, if Pj did not conflict with D , 
then D has to reveal the correct value of r tJ (follows from Correctness 3), i.e. 
r ij = r ir Since Pj ^ U, we have af) = a j ; - . Therefore, for an honest Pj, we have 
a ij — rjj = aij — rij = f-(j). If afj — r? 7^ / ? D (i) , then D is discarded (see Local 
Computation). Therefore, f'flj) = //’(*)■ 

Claim 8. If D is not discarded and Pj is honest, then Pj G Rec. 

Proof. If Pj G U, then Pi G Rec by construction. Honest Pj ^ U successfully 
reveals f[ (j ) ) for all j. We now show that none of rules that delete Pj from Rec 
apply to an honest Pj. 

1. By Claim 0 we have that for each Pj G U, /'(j) = / ? D (i) . 

2. Since revealed rC is equal to ry w.h.p (by Correctness 3), = /'(j) + rT. 

3. If Pj did not conflict with Pi, then an honest Pi will be successful in revealing 

the pad rC (by Correctness 2). Hence — rC = /' ( j ) . 

Claim 9. If D is not discarded, then f'(J) = f'-(i) for every honest Pi,Pj. 

Proof. Recall that when Pj G U, f[(x) = ffl (x) . When both Pi and Pj are in 
U, then the claim follows directly. Now suppose P ( . P ; U. For honest Pi,Pj 
, if f'(j) f'j(i), then bji and cijj b^. Consequently, Pi, Pj would 
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have successfully revealed /,-(i),/j(*) respectively (by Correctness 2). Since 
we assume that D is not discarded, the claim follows in this case too. 

Lastly, consider the case when exactly one of Pj, Pj is contained in U. W.l.o.g, 
let Pi U.P, £ U. If f'(j) ^ /p(i), then P, would have been deleted from Rec. 
But by Claim 0 we have honest Pj, £ Rec. Therefore, the claim must hold. 

Recall that there are at least t + 1 honest players, and by Claim 0 all of them are 
contained in Rec. By Claim 0 the shares of these honest players are consistent. 
The following claim is now easy to see: 

Claim 10. If D is not discarded then all honest parties are consistent with an 
unique t-degree symmetric bivariate polynomial, say F H (x,y). 

Claim 11. If D is not discarded and Pi £ Rec, then f-(x) is consistent with 
F H (x,y). 

Proof. By Claim 0 for every P, e U, fP{ x ) is consistent with all the honest 
players’ shares. This implies that f-(x) is consistent with F H (x, y). 

Now let Pi £ U. Since Pj £ Rec, we have f[ (j ) = ff(i) for every Pj £ 
U (otherwise, P ( is deleted from Rec). Therefore, if f[{x) is inconsistent with 
F H (x,y), then /' (j ) fj(i ) must hold for some honest Pj 0 U. If ay bji 
or aji 7^ bij, then P, . Pj would reveal f'i(j),fj(i ) respectively. Since D was not 
discarded, we have /'(j) = /j(i). For the rest of the proof, we assume ay = bji 
and aji = fey . 

If Pi had a conflict with Pj, then Pi reveals f' (j ) . If Pj also had a conflict 
with Pi, then Pj would have revealed /'(*). Since D was not discarded, we have 
/'(j) = fj(i). On the other hand, if Pj did not have a conflict with P t , then Pi 
would have to reveal rC = ry (follows from Correctness 3) Since Pj is honest, 
b^ — v ji = fj(i). If Pi e Rec, then fey — rC = /-(j). Since fC = rji, this shows 
that f-(j) = fj(i)- Hence f-(x) is consistent with F H (x,y). 

On the other hand if Pi did not have a conflict with Pj, an honest Pj would 
successfully reveal ry . Since ay = bji = fj(i) + rC, Pi would have to reveal 
x) such that /'(j) = /'(i), otherwise ay fpj) + ry, and Pj will be deleted 
from Rec. 

Since F H (x, y) can be computed from the joint view of the honest parties at the 
end of the sharing phase, the following claim holds. 

Claim 12. If D is not discarded, then F H {x,y) will be reconstructed in the 
reconstruction phase. Moreover, this F H (x,y) is fixed at the end of the sharing 
phase. 

It is easy to see that an honest D is never disqualified. Given this, the next two 
lemmas follow directly from Claim |T21 and the theorem follows from Lemmas 0 

0 and El 

Lemma 5. (Correctness) Protocol 4-Round-VSS satisfies (1 — e )- correctness 
property. 
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Lemma 6. (Strong Commitment) Protocol 4-Round-VSS satisfies (1 — e)- 

strong commitment property. 

Theorem 2. There exists an efficient ^-round sharing, 2-round reconstruction 

(2t+l,t) statistical VS S protocol. 
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Abstract. We study perfectly secure message transmission (PSMT) 
from a sender S to a receiver R in the general adversary model. In this 
model, instead of being bounded by a threshold, the Byzantine adversary 
in a network is characterized by an adversary structure. By regarding 
monotone general access structures as linear codes, we introduce some 
new properties that allow us to design efficient PSMT protocols. We give 
a number of efficient PSMT protocols in both undirected and directed 
network graphs. These protocols comprehensively improve the transmis- 
sion complexity of some previous results in this area. More significantly, 
as all of our protocols are executed in either 3 or 2 rounds, our result 
is the first, in the context of PSMT in the general adversary model, to 
have constant round complexity when using interaction. 

Keywords: perfectly secure message transmission, adversary structure, 
linear codes, transmission complexity, round complexity. 


1 Introduction 

In most of the communication networks, a sender S and a receiver R are con- 
nected by unreliable and distrusted channels. The distrust of the channels is 
because of the assumption that there exists a Byzantine adversary who, with 
unbounded computational power, can control some nodes on these channels. The 
aim of perfect secure message transmission (PSMT) is to enable a secret message 
to be transmitted from S to R with perfect privacy and reliability. That is, the 
adversary should learn no information about the message, and the receiver R 
can output the message correctly. 

Initial study by Dolev et al. [Oj shows that PSMT is possible by applying 
secure transmission protocols. It assumes a threshold adversary who can control 
up to t nodes, and hence can control up to t channels. Extensive studies on the 
threshold model have been carried out ever since (e.g., |7l22i2llf)j h 

There are many other studies on a more general adversary model, which allow 
an adversary to control nodes in a less symmetric way. In many cases, using a 
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Table 1. PSMT in the general adversary model 



Network graph 

RC 

TC over 1 

TC over l 

Kumar et al. [I4| 

undirected 

Oin) 

0{htf) 


Desmedt et al. 0 

directed-1 

1 

0(\A\n) 


Yang-Desmedt |2d| 

directed-2 

expo, in A 

expo, in |A| 


Our result 

undirected 

3 (Section 14. 11 

0(hr/) 

0{M) 

2 ( Section 14.21 

0(hn z ) 

0(hn£) 

directed-2 

3 (Section Ih. IB 

0(h*n‘) 

O(hnt) 

2 (Section 13.21 

0{h) 

0(h£) 


RC denotes round complexity and TC denotes transmission complexity. 
“TC over 1” is the TC of the PSMT protocol that transmits a single 
message and “TC over £ ” is the TC of the protocol that transmits 
multiple (£) messages, where each message is a field element. 
“directed-1” are the directed graphs without feedback, and “directed- 
2” are those with feedback, h is the length of a codeword and n is the 
number of critical paths (see Section 0 . 


threshold to model an adversary makes little sense. Indeed, certain platforms 
are more vulnerable than the others. Also, more hierarchical structures cannot 
be described by a single adversary. The general adversary model assumes that 
the adversary is characterized by an adversary structure EU, which consists of 
a number of subsets of nodes, and the adversary is able to control one of these 
subsets, instead of any t nodes. 

Notable studies on PSMT tolerating adversary structures have been done by 
Kumar et al. m on bi-direction channels, by Desmedt et al. JH| on one-way 
forward channels, and by both Patra et al. m and Yang and Desmedt m 
on mixed forward and feedback channels. However, due to the generality of the 
adversary structure, the protocols in the previous studies are, in many cases, 
inefficient in terms of the number of execution round^H ( round complexity) and 
the number of field elements transmitted ( transmission complexity). Also some 
previous results are yet to be further characterized. We shall describe these issues 
in more detail in Section 0 

Our contributions. In this paper we show how linear secret sharing schemes 
(LSSS) and linear codes can be used to design efficient PSMT protocols in the 
general adversary model. Before we do that, we first show a basic construction 
of an LSSS and discuss its properties (see Section 12.11) . Then we propose a 
new generalized linear code (see Section 12.21 for the purpose of error-correcting, 
and also for the purpose of defining pseudo-basis and pseudo-dimension (see 
Section 12. dt . This follows the idea of Kurosawa and Suzuki (T^l . Our study on 
LSSS and linear codes is shown in Section 0 

Next, in Section^ we show a further characterization on the problem of PSMT 
in the general adversary model. We observe that the transmission complexity of 
most previous PSMT protocols is determined by the number of the critical paths. 

1 A round is a transmission from S to R or vice versa. 
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Thus we shall describe the properties of the critical paths that are effectively used 
(see Section Id. Ill . Also in this section, we show how our protocols improve the 
previous results in terms of round complexity (RC) and transmission complexity 
(TC) (see Table 0 which we discuss in detail in Section Id. 21) . Indeed, not only do 
we significantly improve the TC of some previous PSMT protocols, but we are 
also the first to give interactive protocols that have constant RC in the studies of 
the general adversary model. Furthermore, we are also the first to study PSMT 
over multiple messages in this context. 

Sectional and 0 give our constant round and communication efficient protocols 
in different network settings. These protocols show comprehensive improvements 
to the previous results in this area, as shown in Table 0 

2 LSSS and Linear Codes 

Secret sharing schemes are key tools in the study of PSMT. Given a set of n 
participants P = {l,...,n}, the extensively studied threshold schemes (e.g., 
Shamir’s scheme 12 m) allow any subset of t + 1 participants to learn a secret s, 
but do not reveal any information of s to any subset of at most t participants. 
General non-threshold schemes, which realize secret sharing among general ac- 
cess structures, are also presented in literature (e.g., Ito et al. H2| and Benaloh 
and Leichter 0). A monotone access structure T is a family of the subsets of P 
such that for any set A C P, if A £ r and A C A 1 , then A' 6 T. Without loss 
of generality, we assume that P / 0. An adversary structure can be defined as 
A=2 p \r. Thus for any set A C P, if A E A and A D A' , then A! 6 A. It has 
been shown that LSSS’s can be designed for any monotone access structures, so 
that any set of participants that is in P can learn a secret s but any set in A 
cannot. Next we show the construction and the properties of such an LSSS. 


2.1 Constructing an LSSS 

First, it is well-known that monotone span programs are essentially equivalent 
to LSSS’s H3! (see also (51). 

Definition 1. H3M monotone span program is a triple (F, M, ip), where F is a 
finite field, M is an h x d matrix ( h > d), and ip : {1, . . . , h} — *■ {1, . . . , n} is a 
surjective function that assigns a number of rows in M to each participant in P. 

For later use, we only allow each row of M to be assigned to a unique participant; 
i.e., if ip{i) = j, then ip(i) A j' for any j' ^ j. This is easy to achieve by making 
duplicates of the rows that are assigned to multiple participants. Thus h can 
indicate the total number of shares distributed. 

As Shamir’s scheme, our construction assumes that F is sufficiently large. We 
also assume a message space MCF, from which the secret is drawn with respect 
to a certain probability distribution. Now with (F, M, ip), one can share a secret 
using an LSSS. 
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Definition 2. Given a monotone span program (F a secret s G M and 
a random vector r e F d_1 . We regard LS : (M,F d_1 ) — > F^ 1 as a function such 
that (T denotes transpose) 

LS(s,r) = M x (s, r) T = (si, . . . , s/*) T , 

where s\,. . . ,sh are the h shares generated by the LSSS, and they are assigned 
to the n participants by if. For any 1 < t < h shares (1 < ii < 

. . . < it < h), let ip(ii , ■ ■ .,it) be the set of participants to whom these shares are 
assigned and so G M be any possible secret, the LSSS must satisfy the following 
conditions: 

Secrecy: Pr[s = so|si 1( . . . ,s it ] = Pr[s = s 0 ] if ■ ••,**) G A; 
Reconstruction: Pr[s = sols^ , . . . , Sj t ] = 0 or 1 ifip(ii , . . . , if) gf. 

Apparently, if ■ . . , it) G r, then in the linear span of the *i, . . . , i t -th rows 
of M, there must exist the target vector tar = (1, 0, . . . , 0) flul . This is to satisfy 
the reconstruction condition. 

In the context of the information rate, the size of the secret shares has been 
studied in literature (e.g., i . However, to the best of our knowledge, there 

is no results regarding the tight upper bound on the total size of the shares, which 
is h in our LSSS. In fact, we do not know whether for any access structure, there 
exists an LSSS with size h polynomial in n. However we can have an exponential 
size LSSS, which we call the worst case LSSS, as follows. The worst case LSSS 
is defined by a monotone span program (F ,Mh X d,ip) such that d = \A\ and 
h = 0(dn). h is thus exponential in n because in general \A\ = 0(2”). This 
construction somehow follows [Ej (based on ED)- 

The worst case LSSS 

Given a set of n participants P and an adversary structure A on P. Let 
A = {P\ A\A e A} and d=\A\ = |A|. Construct a dxd matrix M v , which 
is an identity matrix except all entries in the first row are changed to 1 . 

Let A = {.Di, ...,Dd}, then for each 1 < i < d, construct a \Dt\ x d matrix 
M. ir such that each row of Mj is a duplication of the <-tli row of M v . Let 
h = JT_i |Dj|, construct an h x d matrix M that is filled by Mi, . . . , M ( i 
from top to bottom. 

The function 'i(> assigns the rows in M to each participant in such a manner 
that if a participant is in Dt £ A (1 < i < d), then if assigns a row of Mj to 
this participant. End. 

See the proof of the secrecy and reconstruction properties of the worst case LSSS 
in the full version of this paper [T]. 

2.2 Linear Codes 

Given an LSSS defined by (F, ip). We denote k as the rank of M, thus 

k < d. In the rest of the paper, we let the first k rows of M be linearly inde- 
pendent. Thus ^>(1, . . . , k) € P. Indeed, because otherwise ^>(1, . . . , k) £ A and 
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the participants in ^>(1, . . . ,k) can then recover all the other shares using linear 
combinations. This contradicts the secrecy condition of Definition [21 

Definition 3. A linear code C is defined by a k X h generating matrix G in 
standard form G = (Ik\A) where Ik denotes the k x k identity matrix and 
A is a kx (h — k) matrix. 

The codewords of code C are determined by an encode function EC : F fc — > 
such that given a k-vector r £ F fc , 

EC{ r) = r x G = c, 

where c is an h-vector, as a codeword of C, and denoted c £ C. 

Evidently code C has |F| fc codewords. 

We link an LSSS with a linear code as follows. In the rest of this section, we 
let Mk be a kxd matrix that consists of the first k rows of M, so the rank of Mk 
is k. We construct G in such a manner that the i-th column of G, which we call 
coli, has the following property: (coZ*) T x Mk = rowi, where row,; is the i-th row 
of M. This is possible because the rank of M is k, thus rown is in the linear span 
of the first k rows of M {Mk). Therefore, the set {LS{s,r)\s e M, r = F d_1 } is 
a subset of a linear code, because for any s £ M, r £ F d_1 , we have 

LS(s, r) = ( Sl , . . . , s h ) = EC{s u . . . , s k ) £ C. 

Definition 4. Let k be a k-vector such that k x Mk = tar, where 
tar = (1,0, ... ,0) £ ¥ d is the target vecto ?@. Let r £ F fc . We define a decode 
function DC : F fc — > F such that DC{ r) = r x k T . We denote the output of the 
function, r = DC(r), as the information of the codeword c = EC{ r). 

Theorem 1. Given any codeword c = (ci ,...,Ch) = EC{ r) £ C. One can 
decode the information of c with t entries , . . . , Cj t (1 < i% < ■ . ■ < it < h) of 
c if and only if ■ ■ ■ ,it) G T. 

Proof. Let k be a k vector such that the information of c is r = DC{ r) = rxk T . 
Remark that C is defined by G, which is derived from M of the LSSS. Let A be 
a k x t matrix such that for each 1 < j < t, the j-th column of A is the ij- th 
column of G, then we have 


= A T xM k , 


(1) 


where for each 1 < j <t, row ^ is the ij - th row of M. 

First we show that if ip(ii, . ■ ■ , it) G A, then one cannot decode r with 
c*j, . . . ,Cj ( . Assume the opposite, i.e., r can be decoded with c . Ll , . . . , c it . Since 
r = r x k T , the possibility that r can be decoded by (c^, . . . , of) means that 

2 Because ip(l , ... ,k) £ T as we showed before, k must exist. 
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the column vector k T is in the linear span of the columns of A. That is, there 
exists a t T such that k T = A x t T so that 


r = rxk T = rxylxt T = (c^, . . . , c* t ) X t T . 


Since k T = /lxt T =>k = tx A T , by multiplying t by both sides of Eq. d we 
have 


= t x A t x Mfc = k x Mk = tar. 


This means that the target vector tar is in the linear span of the rows assigned 
to the participants ip(ii, . . . ,i t ) € A, which is not allowed in our LSSS due to 
the secrecy condition. 

Next if ip(ii, ■■■ At) G r, then by the reverse of the above proof and the 
reconstruction condition of the LSSS, we can easily prove that one can decode 
r with Cjj , . . . , Cj t . □ 


Given that c = (ci , . . . , c/j) is a codeword at the encoding end, and x = (x \ , . . . , Xh) 
is the input at the decoding end, because of the channel noise, it is possible that 
x ^ c. We let e = (ei , . . . , e/J be an error vector such that e = x — c. Normally 
we have the following assumption: let E = {i|e,; 0} be an error locator, we al- 

ways have ip(E) G A. That is, the errors in a codeword are caused by a set in the 
adversary structure. With this assumption, it is well-known that 

- the decoder can detect that x is not a codeword if and only if P £ 2A (i.e., 
P [Ai U A 2 \Ai,A ‘2 G -4}), where P is the set of all participants, and 

— the decoder can decode the information of c from x if and only if P ^ 3A 
(i.e, P^{A 1 HA % ^Az\A 1 ,A 2 ,A^eA}). 

See a proof of this result in the full version of this paper [T] . 


2.3 Pseudo-basis and Pseudo-dimension 

In Eurocrypt ’08, Kurosawa and Suzuki initiated the idea of pseudo-basis and 
pseudo-dimension in the threshold model with multiple codewords m- A gener- 
alization of the pseudo-basis and pseudo-dimension is possible if P ^ 2A (corre- 
sponding to n > 2t + 1 in the threshold model), thus we assume that P ^2 A in 
this section. Next, we let ip~ l : {1, . . . , n) — > {1, . . . , h} be the inverse function 
of ip. That is, let A C P, then ip~ 1 (A) returns all the locations in a codeword 
that are assigned to the participants in A by ip. 

Definition 5. Let A C P, we define \A\ as the size of A and \ip~ 1 (A)\ as the 
weight of A. We denote 

sz A = maxjsize of A\A e A} and wt A = maxjweight of A\A G A}. 
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Evidently sz A = 0(n ) and wt A = 0(h). The idea of the generalization is as 
follows. The encoder sends to codewords ci, . . . ,c m , and the decoder receives 
to h - vectors xj. , . . . , x m such that for each 1 < * < m, x, ; = c l + e, where 
e* = (eji, . . . , eih) is an error vector. For each e,, let Ei = { j\eij ^ 0} be an 
error locator, then Ei has the following two properties: (1) \Ef < wt A and 
(2) ip(Ei) G A and hence \ip(Ei)\ < sz A . We assume that (J™ x Ei G A, i.e., the 
errors in all the codewords are caused by the same set in A. Now we give our 
pseudo-basis construction scheme as follows. 

Pseudo-basis construction scheme 

Set B := 0. For each 1 < * < to, distinguish the following two cases: 

1. B = 0: if Xi G C, then do nothing, otherwise, then add x* in B. 

2. Otherwise: let B = {x ffl , . . . , x Sb } where 1 < gi < . . . < gi, < i, if there 
exist (ai , . . . , a;,) G F 6 such that X{ + aix ffl + . . . + d{,x ffb G C, then do 
nothing, otherwise, add x, in B. 

Let B be the pseudo-basis. Thus \B\ is the pseudo-dimension. End. 

It is trivial that the pseudo-dimension of our scheme is at most wt A = 0(h), 
because there are at most wt A non-zero entries in each error vector. Thus the 
pseudo-basis has 0(h 2 ) field elements. 

Lemma 1. For any codeword c = (ci, . . . , Ch) G C, let D = {i|c* ^ 0}. If 
P £ 2 A and tp(D) G A, then the information of c is 0. 

Proof. Let O = {i[ci = 0}. From P £ 2A and ip(D) G A, we can have if(0) G P. 
According to TheoremQJ the information of c can be decoded with all the entries 
Cj such that i G O. Since all these entries are 0’s, the information of c is 0. □ 

Given a codeword c G C and a vector x, and let e = x — c be an error vector 
such that ip(E) G A. If e G C, then x G C. Due to Lemma the information 
of e is 0, so the information of x equals to the information of c. That is, the 
error vector e does not actually cause errors, and we call this kind of error vector 
invalid. Evidently, the vector 0 G is an invalid error vector. 

Let B = {x ffl , . . . , x gb } be a pseudo-basis, where 1 < gi < . . . < gi, < to, and 
Eg 1 1 • • • j Eg b be the respective error locators, we denote F = |Ji=i E gi as the 
final error locator of B. 

Theorem 2. If the final error locator of a pseudo-basis is known, then the de- 
coder can decode the information of all the codewords. 

Proof. Given the final error locator F of a pseudo-basis B = {x 9l , . . . ,x Sb }, a 
decoding scheme is as simple as the following: 

Decoding scheme from the pseudo-basis 

For each 1 < i < m, decode the information r, of c,- from Xj such that if 
j G F, then the j-th entry of Xj is not used for decoding. End. 
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It is straightforward that if i G { 31 , . . . , <?(,}, then the decoded information r, is 
correct. Indeed, P £ 2A and i/>(F) G A imply that ?/i({l. . . . ,h}\F) G P. Thus 
according to Theorem [fl the entries not indicated by F can be used to decode 
. Since F contains all the error locations of x,, all the entries that are used to 
decode n are correct. 

Next, if i 6 {1, . . . ,m} \ { gi , . . . , gt}, then because of the existence of non- 
zero invalid error vectors, it is possible that Ei D F. That is, errors may exist 
in the entries used to decode r». Since x, ; ^ B, there exist (ai,...,aj,) G F b 
such that Xj + aix ffl + . . . + abx. 9b G C. Thus e» + aie gi + . . . + on,e gb G C. Let 
e( = + a\B gi + . . . + a,be gb , we have that e' is an invalid error vector. Thus one 

can decode the information r,- of c* correctly from the vector x' = c, + e'. Since 
x i = Cj + e*, it is clear that excluding the entries indicated by F, the remaining 
entries of Xj are the same as those of x'. That is, even though errors may exist 
in the remaining entries, one can decode the information r* of c $ correctly from 
these entries. □ 


3 PSMT Preliminaries 

We abstract away the concrete network structure and model a network by a 
graph G(V, E), whose nodes are the parties in the network and edges are point-to- 
point secure communication channels. We consider two kinds of network graphs 
in this paper: 

1. Undirected graphs - in which all the edges are undirected, and allow two-way 
communication; 

2. Directed graphs - in which all the edges are one-way directed or bi-directed, 
and allow mixed communication. 

Given an adversary structure A on the nodes of a graph, we say the sender S 
and the receiver R are dA-separated if there exist d sets Aj. . . . . A d G A such 
that all paths between S and R pass through some nodes in U )=1 Ag. otherwise 
we say they are d A- connected. 

In the context of PSMT, perfect security requires the achievement of perfect 
privacy (i.e., zero probability that the adversary learns the message from the 
information he gets) and perfect reliability (i.e., zero probability that R fails to 
recover the message correctly). The necessary and sufficient conditions (N&S) 
for PSMT on different network graphs have been given in previous results: 

N&S-undirected: in undirected graphs, S and R are 2M-connected EI; 
N&S-directed-l: in directed graphs without feedback paths, S and R are 3 A- 
connected 

N&:S-directed-2: in directed graphs with feedback paths, S and R are 2A- 
connected with the forward paths from S to R, and if S and R are 3 A- 
separated, then for any three sets A- t .A 2 .A 3 G A such that A\ U A^ U A 3 
separates S and R, at most one of these three sets separates S and R on the 
feedback paths from RtoS J19I24 . 
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It can be seen that the paths between S and R play an important role in the study 
of PSMT. Next we show how a characterization of the critical paths determines 
the PSTM protocols and their transmission complexity (TC). 

3.1 Critical Paths 

Unlike those in the threshold model, the N&S conditions for PSMT in the general 
adversary model do not require node-disjoint paths. This rises the question of 
how to transmit messages in a general network graph. The straightforward solu- 
tion (though somehow less efficient) is to characterize the graph into all possible 
paths between S and R. To this end, the idea of critical paths was introduced by 
Kumar et al. m in their initial study. We extend their study, by firstly giving 
a formal definition as follows. 

Definition 6. Given a graph G(V,E), in which S and R are dA-connected. A 
set of paths W is called critical, if S and R are dA-connected with all paths in 
W, but are dA-separated with all paths in any W' C W . Let W be the set of all 
critical sets of paths, we define a minimal critical set W* such that W* £ W 
and \W*\ = min{|W| : W € W}. 

Without loss of generality, we assume that there does not exist a trusted path 
between S and R-, i.e., \W*\ > 1. 

Observation 1. With any graph in which S and R are dA-connected, \W*\ can 
be as small as d + 1 or as large as exponential in the size of the graph. 

We give two examples in Fig. Q] In the examples we assume that S and R are 
2M-connected. First suppose a graph G\ is as shown in Fig. Ha), in which there 
are only 3 paths between S and R. The adversary structure A has the following 
property: all nodes in any set A £ A are on the same path. Thus it is clear that 
in G\, S and R are 2M-connected, and all the 3 paths are in W*. 

Next suppose a graph G% is as shown in Fig. [Q bj. We assume that except S 
and R, there are 3 r nodes in G- 2 - We can view S and R as they are connected 
by r levels L\, . . . , L T , where each level Li (1 < i < r) is a set of 3 nodes, and 
there is an edge between each node in Li and each node in L i+ \ . The adversary 



(a) Gr- \ W\ = d+l = 3. 


(b) Gi'- \W*\ is exponential in n. 


Fig. 1. 2.A- connectivity in different graphs 
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structure A has the following property: for each set A £ 2 P , if there exist two 
nodes vi,V 2 £ A such that ui , u 2 € Li (1 < i < r) , then A £ A; otherwise A £ A. 
In other words, the adversary E can control at most 1 node of each level. 

Obviously S and R are 2M-connected in G 2 , but if we remove any edge from 
the graph, then they are 2M-separated. Also straightforwardly W* = 3 T , be- 
cause the critical paths are all the paths with exactly one node of each level on 
them. Thus we have that \W*\ is exponential in the size of the network, which 
is 9r — 3. 

Of course our examples can easily be adapted to other connectivity, e.g., 3A- 
connectivity. 

Therefore, if a PSMT protocol is executed via the paths in the graphs, then it 
is impossible to determine its TC in the size of the network, because the number 
of paths varies remarkably in different graphs with the same connectivity (e.g., 
Gi and G 2 ). Thus we determine TC in the number of critical paths. For this 
purpose, a re-characterization of the adversary structure is needed. 

In general, the participants in an adversary structure are considered to be the 
nodes in the network graph. We denote this adversary structure as A v . Given 
a critical set of paths W, we define a new adversary structure A w such that 
\A W \ = \A V \, and for each set A v £ A v , there is a corresponding set A w £ A w 
such that A w consists of all the paths in W that pass through nodes in A v . 

It is clear that if S and R are <L4. ^-connected, then they are cM w -cormected 
with W. In the rest of the paper, we use A w as the considered adversary struc- 
ture. Thus we let A = A w and the participants of the adversary structure are 
the critical paths of the network graph. 


3.2 Improvements to the Previous Results 

In the rest of the paper, we let n = \ W\ be the number of critical paths, and A 
be an adversary structure over the n paths. 

Because the previous protocols use different characterizations for PSMT, it 
is not straightforward to compare their TC with our result. In fact, we need 
to compare the three parameters (n,\A\,h) 0 that determine the TC of the 
protocols. First we do not know the tight upper bound on h, but our worst 
case LSSS achieves h < 0{\A\n), so h should not be larger. In general \A\ is 
exponential in n, but due to the way that the critical paths are selected, n 
can be polynomial in A in some network graph jl 4j . Either way, our results 
significantly improve the previous results in terms of round complexity (RC) 
and transmission complexity (TC) over a single message. We also present some 
efficient protocols to transmit l > 1 messages. The problem of multiple message 
transmission has not been studied before in the general adversary model. 

A summary of the results are shown in Table |T| in Section Q Note that 
Desmedt et al.’s protocol |B| is executed in directed graphs without feedback, 
which means that the receiver R cannot send messages to the sender S. Thus 

3 As shown in the previous section, h is the size of the LSSS as well as the length of 

the codewords. 
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the protocols in this graph must be non-interactive and can only have 1-round. 
Their protocol is actually an alternative use of the worst case LSSS that we 
showed before. Thus the protocol can easily be reformed into a 1-round protocol 
with TC 0[h). The protocol by Yang and Desmedt |21j uses the settings in \ 1 91 . 
which require both the RC and TC to be exponential in |A|. As we discussed 
before, both h and n are at most polynomial in |A|, so our improvements are 
obvious. We also remark that in the studies of the general adversary model, our 
results are the first to have constant RC in undirected and directed-2 graphs. 


3.3 Other Preliminaries 

We assume that each message s is drawn from the message space MCF with 
respect to a certain probability distribution. Since two different type of graphs 
are considered, we have the following: in an undirected graph, we denote W = 
{/u’i , . . . , w n } as a critical set of undirected paths; in a directed graph, we denote 
W = [wi- . . . , w n } as a critical set of the forward paths and Q = {q-\ , . . . , q u } as 
a critical set of the feedback paths, where u = 0(n). 

Given that S and R are 2.4-connected with W, if S sends the same message 
via all paths in W, then R is able to receive the message perfectly reliably m. 
In our protocols we say “S broadcasts a message via W” to indicate this kind of 
transmission. Thus the TC of the broadcast of 1 field element is 0(n). 

Note that the linear code is constructed considering the critical paths as the 
participants. When S sends a codeword c = (ci, . . . , c/,) in such a manner that 
for each 1 < j < h, if ip(j) = Wi for some 1 < i < n, then S sends cj via Wi, we 
say “5 sends c via W with respect to ip” to indicate this kind of transmission. 
Thus the TC of the transmission of 1 codeword is 0(h). 

In our protocols, we omit some indices for the communication. For example, 
if S sends a pseudo-basis to R, then generally S should attach a index in the 
transmission to indicate exactly which codeword each vector in the pseudo-basis 
corresponds to. Indexing is very cheap in terms of TC. Thus in our protocols, 
we omit some indices to make the protocols easier to read. 

4 PSMT in Undirected Graphs 

In this section we show our PSMT protocols in undirected graphs. According 
to N&S-undirected, S and R must be 2A-connected in an undirected graph. 
We first give 3-round protocols in Section 14.11 for the transmissions of a single 
message and multiple messages, and then give 2-round protocols in Section 14.21 
The protocols given in this section are along the lines of the results in PS! 


4.1 3- Round Undirected Protocols 

We omit the 3-round protocols in this section due to lack of space, and also 
because they are relatively simple. However, the TC of our 3-round protocol over 
a single message is 0(hn 2 ), and the TC of our 3-round protocol over multiple 
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(£) messages is 0{h£) where £ = wt A h. Thus the TC of both protocols are about 
optimal in the context of PSMT in the general adversary model. For the details 
of the 3-round undirected protocols, see the full version of this paper p. 

4.2 2-Round Undirected Protocols 

First we give a 2-round protocol to transmit a single message. 

2 -round undirected protocol for a single message s 
Round 1 - R to S: 

1. R chooses n random k - vectors rj, . . . , r„ £ F fc , and for each 1 < i < n, 
R encodes r* to get codeword c * = EC(ri) = (cu, . . . , Cj^). 

2. For each 1 < i < n, R sends vector r, ; via path Wi, and sends codeword 
Cj via W with respect to ip. 

Round 2 - S to R: 

1 . S receives n /c- vectors r'j , . . . , r' n and n h - vectors xi , . . . , x„ from W. For 
each 1 < i < n, let x,; = (xn, . . . , Xih )• 

2. For each 1 < i < n, S encodes r' to get codeword c' = EC( rf) = 
(4, . . . , d ih ). S then constructs a set D, such that for each 1 < j < h, 
iff Xij 7 ^ cT, then (xij,j) £ Di. 

3. S finds a A;- vector r s such that s = DC(r s ), and then encodes c s = 
EC(r s ) = (cf,...,cf). For each 1 < j < h, if ip(j) = Wi, then S 
computes Zj = cf + c - . Finally S sets z = (zi, . . . , Zh). 

4. S broadcasts z and D \ , . . . , D n via W. 

Recovery Phase 

1 . R receives z and D i , . . . , D n from W. 

2. R sets F := 0. For each 1 < i < n, if there exists a pair (xij.j) £ Di 
such that x^ = Cij, then R sets F := F U {*}. 

3. For each 1 < j < h, if ip(j) = Wi, then R computes cf = Zj — Cij. R then 

decodes s' as the information of (cf , . . . , cfp) such that for any ip(j) = Wi 
where i £ F, the entry cf is not used for decoding. End. 

Proof of perfect security. Omitted. See the full version of this paper [Q . 

TC of the protocol. Let TC{i) be the TC of Round i for 1 < i < 3. In this 
protocol: 

TC'(l) =hn + kn= 0{hn) 

TC( 2) = 0(n(h + 2 hn)) = 0(hn 2 ) 

We have that the total TC is 0(hn 2 ) field elements. 

Next, before we show our 2-round PSMT protocol that transmits multiple 
messages, we employ a well-known technique in this context: the randomness 
extractor [221211 5j . Suppose that the adversary has no knowledge on £ out of m 
random elements n , . . . , r m £ F. Let f(x) be a polynomial of degree deg f(x) < 
m — 1 such that f(i) = for each 1 < i < m, then the adversary has no 
knowledge on z 3 = f{rn + j) for each 1 < j < £. We denote a function RE : 
F' m — > as a randomness extractor such that RE(n , . . . ,r m ) = (zi , . . . , zp). 
This function will be used in the following 2-round PSMT protocol. 
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2-round undirected protocol for l = wt A (n — sz A — 1 ) messages si, . . . , si 
Round 1 - R to S: 

1. R chooses wt A n random k - vectors ri, . . . ,r wt A n G F fc , and for each 1 < 
i < wt A n, S encodes r, to get codeword c * = EC{vi) = (c»i, . . . , c^ j. 

2. For each 1 < i < n, R sends vectors x i+Q . wt A,r i+ i. wt A, . . . ^ i+ ^ wt A_-^ wt A 
via path Wi . R also sends codewords ci, . . . , c wt A n via W with respect 
to l/}. 

Round 2 - S to R: 

1. S receives wt A fc-ve ctors r i + o. wt A, r ' i+ x. wt Ai ■ ■ ■ i r 'i + ( wt A_i) wt A on each 
path Wi (1 < i < n), and also receives wt A n h-ve ctors xi, . . . , x u ,^ rl 
from W. For each 1 < i < wt A n, let x, = (xn , . . . , Xih)- 

2. For each 1 < i < wt A n, S uses the pseudo-basis construction scheme 
to construct a pseudo-basis B from xi, . . . , x. wt A n . Let b be the pseudo- 
dimension of B, then b < wt A . 

3. For each 1 < i < wt A n, S encodes r' to get codeword c' = EC( r^) = 
(4, . . . , 4). S then constructs a set -Dj such that for each 1 < j < h, 
iff Xij 7 ^ cL, then (c^, j) e A- 

4. For each 1 < i < wt A n, S decodes r' = DC(r'). S then constructs a set T 
such that iff |.Dj| < wt A , then r[ G T. S uses the randomness extractor to 
get (zi ,...,zi) = RE(T), and for each 1 < i < i , S computes er* = Si+Zi. 

5. S broadcasts the pseudo-basis B and a%, . . . , an- For each 1 < i < wt A n, 
if | A | > wt A , then S broadcasts “ignore i”; else, then S broadcasts A- 

Recovery Phase 

1 . R finds the final error locator F from B. 

2. For each A that R receives on W, R constructs an h-ve ctor c" = 
(4, . . . , c” h ) such that for each 1 < j < h, if (4>j) e A: then 4 — 4’ 
else, then 4 = c ij- R then decodes the information r" of c” such that 
for any j G F, 4 is n °t used for decoding. R puts r" in a set T'. 

3. R uses the randomness extractor to get (4 . . . ,z' e ) = RE(T"), and for 

each 1 <i<i,R computes s' = <jj — z\. End. 

Proof of perfect security. Omitted. See the full version of this paper P . 

TC of the protocol. In this protocol: 

TC{ 1) = (k + h)wt A n = 0(M) 

TC{ 2) = 0(n(wt A h + £+ wt A n ■ 2 h)) = 0(h 2 n 2 ) = 0{hni ) 

We have that the total TC is 0{hni) field elements. 

5 PSMT in Directed Graphs 

In this section we show our PSMT protocols in directed graphs. We let W = 
{wi, . . . , w n } be the critical set of forward paths and Q = {q -\ , . . . , q u } be the 
critical set of feedback paths. 
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In a directed graph without feedback (Q = 0), S only needs to send a codeword 
c, of which the information is the message s, to R via W with respect to ip. Due 
to N&S-directed-l, S and R are 3 ^.-connected, R can decode the information of 
c by correcting errors. Thus the protocol is perfectly secure and the TC is 0{h). 
We remark that Desmedt et al.’s protocol jHj is actually an alternative use of 
the worst case LSSS. 

Next we consider a directed graph with feedback (Q ^ 0). We give our 3-round 
protocols under the condition of N&S-directed-2 in Section 15.11 In Section 15.21 
we show that N&S-directed-2 is not sufficient for 2-round PSMT protocols, and 
hence we give a new N&S condition and propose our protocols under this con- 
dition. The protocols given in this section are along the lines of the results 

in GEES- 

5.1 3-Round Directed Protocols 

Before we show our 3-round protocols, we notice that the adversary structure A 
is over all paths in W U Q. However, in our 3-round protocols, we do not need 
to assign shares (or entries) to the paths in Q. Thus we denote an adversary 
structure A! over the paths in W only, i.e., for any set A £ A, there is a corre- 
sponding set A' £ A' such that A' = A n W. Thus S and R are 2W-connected 
with the paths in W. Note that in this section, the linear codes in our protocols 
are constructed with respect to A! . 

3-round directed protocol for a single message s 
Round 1 - S to R: 

1. S chooses wt A (u + 1) + 1 random k-ve ctors r*, . . . ,r wt A(„ +1 ) +1 e F fc , 
and for each 1 < i < wt A (u + 1) + 1, S encodes r, to get codeword 
C i = EC{Ti) = (Cii,...,Cjfc). 

2. For each 1 < i < wt A (u + 1) + 1, S sends c* via W with respect to ip. 

Round 2 - R to S: 

1. R receives wt A {u+ 1) + 1 h-vectors xi, . . . , x U) jjt( u + 1 ui from W. R uses 
the pseudo-basis construction scheme (see Section 12.31) to construct a 
pseudo-basis B from xi, . . . • and then broadcasts B via all 

paths qi , . . . , q u G Q. 

Round 3 - S to R: 

1. For each 1 < v < u, let B v be the pseudo-basis that S receives on path 
q v , and let b v be the pseudo-dimension of B v . 

2. For each 1 < v < u, if b v > wt A , then S broadcasts “ignore v" via W; 
else then S finds the final error locator F v from B v . If \F V \ > wt A , then 
S broadcasts “ignore v” via W: else then S broadcasts B v and F v via 
W. 

3. S sets U := 0 and T := 0. For each 1 < v < u such that b v < wt A , S adds 
all the actual codewords (c»’s) that correspond to the h- vectors in B v to 
U. Thus at last, \U\ < wt A u. For each r, ; such that f?C(r, : ) = a £ U, 
if i £ T and \T\ < wt A + 1, then S sets T := T U {i}. Thus at last, 
|T| = wt A + 1. For each i e T, S decodes r, = DC(rj). S computes 
a = s + Ylier an< ^ broadcasts cr and T via W. 
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Recovery Phase 

Let v := 1, while v < u: 

1. if R receives “ignore v” from W, then R sets v := v-j- i; 

2. else if R receives B v and F v from W, then 

(a) if B v ^ B, then R sets v := v + 1\ 

(b) else, then with F v , a and T, R uses the decoding scheme from 

pseudo-basis (see Section 12.. 'Ill to get the information r, of c, for 
each * £ T. R then recovers s = a — r h an< l terminates the 
protocol. 

If v > u, then R knows that S did not receive the correct pseudo-basis 
B, so all paths q\. , q u e Q are corrupted. For each i e T, R finds a 

set A £ A such that Q C A, and if A's entries in x, ; are removed, all the 

remaining entries are a part of a codeword c' G C, then R decodes r\ as the 
information of c'. R recovers s' = a — JT £T r i ■ End. 

Proof of perfect security. Omitted. See the full version of this paper [Tj . 

TC of the protocol. In this protocol: 

TC(1) = h(wt A (u + 1) + 1) = 0(h 2 n ) 

TC( 2) = 0(u(wt A h)) = 0(h 2 n) 

TC(3 ) = 0(n(wt A hu + wt A u + 1 + wt A + 1)) = 0(h 2 n 2 ) 

We have that the total TC is 0{h 2 n 2 ) field elements. 

Our 3-round protocol that transmits multiple messages is a generalization of 
the above protocol for a single message transmission. Thus we only show their 
differences as follows. 

3- round directed protocol for t = vjt A, u message Si, ... ,se 

Round 1 - S to R: S does the same only for wt A (u+ 1) +(, random k- vectors. 
Round 2 - R to S: R does the same. 

Round 3 - S to R: S does the same until step 3. 

3. S sets U := 0. For each 1 < v < u such that b v < wt A , S adds all 

the actual codewords (cj’s) that correspond to the h - vectors in B v to U. 
Thus at last, \U\ < wt A u. 

4. S sets Ti, . . . ,T( := 0. For each r* such that EC(ri) = c* ^ U, for each 

1 < j < if i £ Tj and \Tj\ < wt A , then S sets Tj := Tj U {i}. Thus 
at last, all Ti, . . . , Ti are the same and \Tj\ = wt A . There are at least l 
vectors r, ; such that EC(ri) = c* ^ U and i ^ Tj 0. Let r^ , . . . , T it be 

t such vectors, then for each 1 < j < £, S sets Tj := Tj U {ij}. Thus 

\Tj\ = wt A + 1, and all T\ , . . . , Tf are different. For each 1 < j < i 
and i £ Tj, S decodes r,- = DC(r,), computes cr 7 - = Sj + YlieT- an< l 
broadcasts a 7 and Tj via W. 

Recovery Phase For each 1 < j < t, R does the same to recover s 3 . End. 

4 This is because |C/| < wt A u, \Tj\ = wt A and the total number of vectors r i is 
wt A (u + 1) + £. 
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Proof of perfect security. Omitted. See the full version of this paper p . 

TC of the protocol. In this protocol: 

TC( 1) = h(wt A (u + 1) + wt A u) = 0(h£) 

TC( 2) = 0(u(wt A h)) = O(hi) 

TC( 3) = 0(n(wt A hu + wt A u + wt A u{ 1 + wt A + 1))) = 0{hnt) 

We have that the total TC is 0(hn£) field elements. 

5.2 2-Round Directed Protocols 

In []21 , Patra et al. showed that in the threshold model, the minimal connectivity 
for PSMT in directed graph is not sufficient for a 2-round protocol. Here we do 
the similar. That is, we prove that in the general adversary model, N&S-directed- 
2 is not sufficient for a 2-round protocol. Note that the general assumption is 
that the feedback channels are not reliable (i.e., not 2.4-connected). 

Theorem 3. Given a directed graph G(V, E) and an adversary structure A, 2- 
round PSMT is possible if and only if S and R are 2A-connected with the forward 
paths and SA-connected in G. 

Proof. First we prove the necessity of the condition. 2 ^.-connectivity with the 
forward paths is obviously necessary. Now assume that S and R are 3 ^.-separated 
in G and there is a 2-round PSMT protocol 17. Let view s and view R be the views 
of S and R respectively. In Round 1 of 77, view s and view R can be different 
if the adversary corrupts some feedback paths. Since the feedback paths are 
not reliable, S cannot detect the differences. Thus after Round 2, because 77 
is perfectly private, with respect to A, we regard view s as a codeword whose 
information is the message. Thus view R is view s plus an error vector caused by 
a set A e A. Since S and R are 3 M- separated, R cannot correct the errors and 
decode the message. Thus 77 is not perfectly reliable. We have a contradiction. 

Next we show a 2-round PSMT protocol under this condition. We let A' = 
A Li {Q} (if Q e A, then A! = A). Since S and R are 2M-connected with the 
forward paths, they are SW-connected in G. The linear code in this protocol is 
constructed with respect to A! . 

2-round directed protocol for a single message s 

Round 1 - R to S: R chooses a random fc-vector r, and encodes it to get the 
codeword c = EC(r) = (ci, . . . , Ch). Suppose that ci, . . . , c t are the entries 
in c such that Mc\, . . . ,cf) = Q, the linear code allows all these entries to 
be independently. R then sends the entries ci, . . . , ct via Q with respect to ip. 
Round 2 - S to R: Upon the entries d t that S receives on Q, S con- 

structs a k - vector r' such that c\ .... ,P t are in the codeword c' = EC(r') = 
(i^, . . . , S h ). S decodes r' = DC(r'). S then sends S t+1 , . . . , d h via W with 
respect to ip and broadcasts a = s + r'. 

5 This is possible. See the full version of this paper Q] for more details. 
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Recovery Phase R receives c" +1 , . . . , and cr on W. R constructs an h- vector 
x = (ci, . . . , C{, dl +1 , . . . , c"). Thus x = c' + e where e is an error vector 
caused by a set A £ A'. Due to the 3 ^.'-connectivity, R can decode the 
information r' of c' from x and recover s = a — r'. End. 

Proof of perfect security is omitted. See the full version of this paper |IJ . 

Clearly the TC of this protocol is 0(h), and the protocol can transmit £ 
messages with a TC of 0{hl). □ 

6 Conclusion and Open Problems 

In this paper, we regarded general access structures as a special linear code 
and exploited its properties to design PSMT protocols in the general adversary 
model. The construction of our protocols is based on the idea of defining adver- 
sary structure over critical paths. We are the first to study interactive PSMT 
with a constant round complexity. Moreover, the transmission complexity of our 
protocols is similar to the best protocols that use non-constant rounds, which 
is quite unexpected. Also our study on PSMT over multiple messages is new in 
this context. 

Evidently, there are still many unknown properties of the linear codes we 
proposed. The most obvious one is the tight upper bound on h, which is open 
for decades. Another interesting problem is whether in the presence of non zero 
invalid error- vectors, it is possible to have a pseudo-dimension that is smaller 
than 0(h). 

The TC of our 2-round undirected and 3-round directed protocols for multi- 
ple message transmission is 0(hni). In j22EE3; the authors used a technique 
called generalized broadcast to reduce the TC by O(n). We wonder if generalized 
broadcast can further reduce the TC of our protocols to 0(h£). 

Acknowledgment. We would like to thank the anonymous referees for their 
helpful comments on the earlier version of the paper. 
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Abstract. Secure multiparty computation (MPC) is one of the most 
general and well studied problems in cryptography. We focus on MPC 
protocols that are required to be secure even when the adversary can 
adaptively corrupt parties during the protocol, and under the assumption 
that honest parties cannot reliably erase their secrets prior to corruption. 

Previous feasibility results for adaptively secure MPC in this setting 
applied either to deterministic functionalities or to randomized func- 
tionalities which satisfy a certain technical requirement. The question 
whether adaptive security is possible for all functionalities was left open. 

We provide the first convincing evidence that the answer to this ques- 
tion is negative, namely that some (randomized) functionalities cannot 
be realized with adaptive security. 

We obtain this result by studying the following related invertible sam- 
pling problem: given an efficient sampling algorithm A, obtain another 
sampling algorithm B such that the output of B is computationally in- 
distinguishable from the output of A, but B can be efficiently inverted 
(even if A cannot). This invertible sampling problem is independently 
motivated by other cryptographic applications. We show, under strong 
but well studied assumptions, that there exist efficient sampling algo- 
rithms A for which invertible sampling as above is impossible. At the 
same time, we show that a general feasibility result for adaptively secure 
MPC implies that invertible sampling is possible for every A, thereby 
reaching a contradiction and establishing our main negative result. 


1 Introduction 

Secure multiparty computation (MPC) is one of the most fundamental problems 
in cryptography. The goal of MPC is to allow two or more parties to compute 
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some functionality (a deterministic or randomized mapping from inputs to out- 
puts) while emulating an ideal evaluation of the functionality in which a trusted 
trusted party receives all inputs and delivers all outputs. This is formally cap- 
tured by simulation-based security definitions, which (roughly speaking) require 
that whatever an adversary can achieve by attacking the real execution of the 
protocol can also be achieved by a simulator which attacks the above ideal eval- 
uation process. 

Since the introduction of MPC in the 1980s {4212815117)] . many security defini- 
tions have been proposed and feasibility results shown. In particular, significant 
research efforts have been invested in realizing adaptively secure MPC proto- 
cols, whose security is required to hold in the presence of an adversary that 
can corrupt parties adaptively at any point during the protocol. When consider- 
ing adaptive security, it is typically assumed that honest parties cannot reliably 
erase their secrets. This is an assumption we make throughout this work. The 
main challenge in proving the security of cryptographic protocols in this setting 
is that when a new party is corrupted, the simulator needs to provide an expla- 
nation of the internal randomness for this party that has to be consistent with 
the simulated view so far and with the party’s input. 

Adaptively secure protocols in this setting were first constructed by Canetti, 
Feige, Goldreich and Naor HBJin a standalone model and then by Canetti, Lin- 
dell, Ostrovsky and Sahai m in the universal composability (UC) model jSj. 
These protocols applied to all deterministic functionalities, but in the case of ran- 
domized functionalities they were restricted to so called adaptively well-formed 
functionalities M- Intuitively, randomized functionalities can present the follow- 
ing problem: when the adversary corrupts all the parties in the real execution Q 
he learns the private randomness of all parties. However in the ideal world, if the 
ideal functionality tosses some coins that are kept private and used during the 
computation, the ideal adversary (the simulator) will never learn these private 
coins, even after corrupting every party. The presence of private randomness 
in the ideal world makes it problematic to realize randomized functionalities 
in which the randomness cannot be efficiently computed from the inputs and 
outputs. The “adaptively well formed” functionalities satisfy the syntactic re- 
quirement that they reveal all their internal randomness when all parties are 
corrupted. (In other words, securely realizing such functionalities does not pose 
the challenge of hiding the internal randomness of the functionality from the 
adversary.) The question for general functionalities was left open. 

In this paper we show that, under strong but well studied computational 
assumptions, there exist functionalities which cannot be realized with adaptive 


1 At first glance, it may seem strange to require any security when all parties involved 
in a protocol are eventually corrupted. However, this is important when protocols 
are meant to be composed (even sequentially). For instance, a sub-protocol of a 
larger protocol may involve only a small subset S of the participants of the larger 
protocol. In such a situation, guaranteeing security of the larger protocol when 
(only) the players in S are corrupted would require analyzing the security of the 
sub-protocol when all the participants of the sub-protocol are corrupted. 
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security. Concretely, our main negative result relies on the following two assump- 
tions: (1) the existence of so-called extractable one-way functions jldl 111 8| (this 
is a common generalization of several “knowledge-of-exponent” style assump- 
tions from the literature ff !)!.'> 1 il l.'TTTj ) . and (2) the existence of non-inter active 
zero-knowledge (NIZK) proofs for NP (6 7 . 

Our negative result applies to almost every model of adaptively secure compu- 
tation without erasures from the literature. This includes stand-alone security in 
the semi- honest and malicious models (under the definition of jH|), UC-security 
in the CRS model (under the definition of [HJ) or even to security in the OT- 
hybrid model, where every functionality can be unconditionally realized with 
non-adaptive UC-security . Our negative result does not apply to the 

case where only a strict subset of the parties can be corrupted (in particular, 
to MPC with an honest majority). The existence of uncorrupted parties allows 
the simulator to avoid the need for “explaining” the output of the functionality 
by providing its internal randomness. Our negative result also does not apply to 
adaptive security in the standalone model without post-execution corruption 0 ; 
this (nonstandard) notion of adaptive security does not support even sequential 
composition. See Section fOI below. 

Invertible sampling. A key concept which we use to obtain our negative result 
and is of independent interest is that of invertible sampling (Definition 1 of [2U|h 
Suppose we are given an efficient sampling algorithm A. Can we always obtain 
an alternative efficient sampling algorithm B such that the output of B is indis- 
tinguishable from the output of A, but B can be efficiently inverted in the sense 
that its randomness can be efficiently computed based on its output? Here we 
refer to a distributional notion of inversion, namely an inversion algorithm B -1 
is successful if the pair (/, B(r / )) is computationally indistinguishable from the 
pair (B _1 (B(r')), B(r 7 )) where r' is a uniform random input for B. We refer to the 
hypothesis that every efficient A admits an efficient B as above as the invertible 
sampling hypothesis (ISH). While our study of ISH is primarily motivated by its 
relevance to adaptive security, this question is independently motivated by other 
cryptographic applications (such as settling the relation between public-key en- 
cryption and oblivious transfer); see Section El for details. 

The ISH may seem easy to refute under standard assumptions. Indeed, if we 
require the outputs of A and B to be identically distributed, then ISH could be 
refuted based on the existence of any pseudorandom generator G : Let A output 
G(r). The existence of B as above would allow one to distinguish between G(r) 
(for which B -1 will find an inverse under B with overwhelming probability) 
and a uniformly random string of the same length (which with overwhelming 
probability has no inverse under B). However, the case where the outputs of B 
and A should only be computationally indistinguishable appears to be much more 
challenging. In particular, note that a pseudorandom distribution does admit an 
invertible alternative sampler: the sampler B just outputs a uniformly random 
string. Since this output is computationally indistinguishable from the actual 
distribution, it is consistent with the above formulation of ISH. 
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We show, under the assumptions described above, that there exist efficient 
sampling algorithms A for which the ISH fails. At the same time, we show that a 
general feasibility result for adaptively secure MPC implies that invertible sam- 
pling is possible for every A, thereby reaching a contradiction and establishing 
our main negative result. 

More precisely, we show that general adaptively secure computation implies 
(and in fact, is equivalent to) a stronger version of ISH in which the sam- 
pling algorithms A, B are given an input x in addition to their random input, 
and where the inversion algorithm B -1 should be successful on every input x. 
This stronger flavor of ISH is ruled out by the assumptions mentioned above, 
namely the existence of extractable one-way functions and NIZK proof systems 
for NP. To rule out the weaker variant of ISH (with no input x) we need to 
use somewhat stronger assumptions: a non-standard (but still plausible) vari- 
ant of an extractable one-way function, and the existence of non-interactive 
witness-indistinguishable (NIWI) protocols for NP without a common reference 
string |I22I1 1'ibl.'TTTj . 


1.1 Our Techniques 

We now give some intuition on our construction of an efficient sampling algorithm 
A for which ISH does not hold. For this purpose, it is convenient to first describe 
a relativized world (defined via a randomized oracle) in which such A provably 
exists. As a first attempt, suppose that we have an oracle computing a random 
function / : {0, 1}" — > {0, l} 2 ". Now, consider the efficient sampling algorithm 
A which outputs a random image of /, namely A(r) = /(r). (Note that A is 
efficient given oracle access to /.) Similarly to the previous PRG example, such 
an algorithm is not enough to refute the computational version of ISH: indeed, 
the alternative sampler B can simply output a uniformly random string of length 
2 n. The high level idea for ruling out such an alternative sampler is to make the 
outputs of / efficiently verifiable. Formally, we add to / an additional oracle g 
which decides whether a given string y E {0, l} 2 " is in the image of /. (A similar 
oracle was used by Wee i 11 the seemingly unrelated context of separating 
two notions of computational entropy.) 

We now informally argue that ISH is false relative to the randomized oracle 
(/, g). Let A(r) = f(r) as before. Assume towards a contradiction that an alter- 
native sampling algorithm B(r') as required by ISH exists. We argue that B can 
be used to efficiently invert / on a random output y = f(x), which remains hard 
even when given the decision oracle g. By the computational indistinguishability 
requirement, it suffices (in order to reach a contradiction) to successfully invert / 
on a random output y' sampled by B. Moreover, since indistinguishability holds 
relative to the verification oracle g we are guaranteed that (with overwhelming 
probability) y' as above will be in the image of /. 

The inversion algorithm for /, when given y' sampled by B, uses the inversion 
algorithm B 1 guaranteed by ISH to obtain a preimage r' of y' under B. Since 
/ is a random function, it is impossible to efficiently find an image y' of / 
without querying / on the corresponding pre-image. (Jumping ahead, this is 
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the step where our explicit non-relativized construction will rely on a knowledge 
assumption.) Thus, the inversion algorithm can use r' to extract a preimage x of 
y' under / by running B on r' until it queries / on a point x such that /( x) = y. 

To obtain an explicit version of the above A we use extractable one-way func- 
tions to implement / and a NIZK proof for proving range membership to emulate 
the role of g (the latter is similar to the use of NIZK proofs in |.'17I42| : see Sec- 
tion I I .211 . For technical reasons that have to do with the common reference string 
required by the NIZK proof system, we cannot use this approach to refute the 
basic version of ISH described above. For this, we need to employ a somewhat 
more complicated proof strategy and apply NIWI proofs instead of NIZK proofs. 
See Sectional for details. 

1.2 Related Work 

Adaptively secure MPC (without erasures) was first realized in H3 for the stand- 
alone case. In jH|, a variant of the notion of adaptive security that guarantees 
sequential composition was introduced: we refer to the variant from jHj which 
requires security against post execution corruption (PEC). Namely, after the sim- 
ulation is complete, the environment can ask the adversary to corrupt additional 
parties and simulate their views. This variant is used in jSj to prove sequential 
composition. In fact, a separation between adaptive security with PEC and with- 
out it has been shown in We stress that the negative results from m apply 
to specific protocols rather than functionalities. That is, m builds protocols 
which are shown to be adaptively secure in one setting but not adaptively se- 
cure in another setting, but does not show any functionality which cannot be 
realized with adaptive security, as opposed to our impossibility result. 

In the UC security framework |§| the main feasibility result for securely realiz- 
ing adaptively well-formed functionalities against an adaptive adversary was ob- 
tained in HU (see also jl ?IY r >| ) . This work also suggested the following plausible 
candidate for a randomized functionality which cannot be realized with adaptive 
security: on input a security parameter k, output the product of two random k- 
bit primes. However, we do not know how to relate the possibility of realizing this 
functionality with adaptive security to any well-studied assumption. 

If one is willing to assume that honest parties can reliably erase their data, 
security against adaptive adversaries becomes a much easier task. Our negative 
results do not apply to this alternative model, and general feasibility results in 
this model were obtained in f.'il.'Uil . 

The Invertible Sampling Hypothesis is related to questions of oblivious sam- 
pling that have been studied in other cryptographic contexts. For instance, the 
question of generating a public key for an encryption scheme without learning 
how to decrypt is related to the goal of constructing an oblivious transfer proto- 
col from a public-key encryption scheme jTIl'ifij : virtually any non-committing 
encryption scheme |2I2( )l25fTTi] requires some form of oblivious sampling of public 
keys; in a recent result m the question of whether ISH holds has been infor- 
mally asked, in the context of turning UC-secure protocols in the common refer- 
ence string model into semi-honest secure stand-alone protocols. If the common 
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reference string is a random string, the problem trivially reduces to having one 
party publish a random string. If the CRS instead is sampled using some generic 
distribution, is not clear whether a semi-honest party can sample the common 
reference string without learning the trapdoor. See Section El for a further dis- 
cussion of these additional connections of ISH with cryptography. 

The knowledge of exponent assumption was introduced in [HU, and since then 
other specific knowledge of exponent assumptions have been proposed flITJj . 
until in some recent work jl 111 Oil the abstract notion of extractable functions 
has been introduced. Our impossibility results rely on assumptions of this type. 
The use of knowledge assumptions in security proofs has received criticism in 
the cryptographic community, especially because such assumptions seem hard 
to disprove m (even though in 0 a “wrong” knowledge assumption from EH 
has been disproved). As far as we know, our work is the first to apply such 
assumptions towards negative results in cryptography. 

Finally, our use of NIZK and NIWI proofs for NP was inspired by the use 
of NIZK in EH to construct a class of distributions where efficient learning 
with an evaluator is possible but coming up with a generator that approximates 
the given distribution is infeasible, and by |41ld2j in the context of separating 
conditional HILL and Yao entropies. Note, however, that none of these works 
made use of knowledge assumptions; such assumptions appear to be crucial to 
our techniques. 

2 Preliminaries 

Notation. We use n as a length parameter; all probability distributions we con- 
sider in this work will be over strings of length polynomial in n. We let U n denote 
the uniform distribution over {0, 1}". We use x <— X to denote the process of 
sampling x from the distribution X. If X is a set, x * — X denotes a uniform 
choice of x from X. For any distribution X and algorithm A, we denote by A(Y) 
the probability distribution on the outputs of A taken over the coin tosses (if 
any) of A and an independent random choice of the input x from X . 

We use the standard notation {Ci; C ?: . . . ; C m : D} to denote the distribu- 
tion of D obtained as a result of the sampling process defined by the sequence 
of instructions C\, . . . , C m . For example, {a «— X; b <— A (a) : (a, 6)} denotes the 
distribution of pairs (a, b ) obtained by first picking a from X and then obtaining 
b by running A on a. Similarly, we use Pr[Ci; C 2 ; ... ; C m : E] to denote the 
probability of event E in the probability space defined by the sequence of in- 
structions Ci, ... , C m . For instance, Pr[a <— X; 6 <— Y : a b] is the probability 
that when a is chosen according to X and b is independently chosen according 
to Y, a and b are not equal. 

We assume that the reader is familiar with the concepts of negligible function, 
one-way function, pseudorandom generator, and non-interactive zero-knowledge 
proof system. Suitable definitions can be found in the full version or in m 

By default we assume efficient algorithms to be uniform and efficient distin- 
guishers to be nonuniform. We will use e(-) to denote an unspecified negligible 
function. 
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Let I C {0, 1}* be an arbitrary infinite index set. We say that two distribution 
ensembles {X w } we i and {Y w } we j are computationally indistinguishable if for 
every polynomial-size circuit family C n there exists a negligible function e such 
that for every w G I, 

\T>r[C lw[ (X w ) = 1] -Pr^nCS,,) = 1]| < e(M). 

Sampling algorithms. We will view any probabilistic polynomial time (PPT) 
algorithm A as defining an efficient sampling algorithm (or sampler for short). 
We let A(w) denote the output distribution of A on input w and A(w. ta) denote 
the output when the random input (i.e., sequence of coin-tosses) is given by r/\. 
Without loss of generality, we can associate with every efficient A a polynomial 
£(■) such that '/> is a random input of length £(\w\). Under this convention, A(io) 
is distributed identically to A (w, Uf(y u ,^). We will use this convention throughout 
the paper. Finally, we will sometimes be interested in the special case of samplers 
over a unary input alphabet; in this case A defines a sequence of distributions 
( A ( ln )}neH- 

We say that a sampling algorithm A is inverse-samplable if there exists a PPT 
inversion algorithm which, given an input w and a sample y from the output 
A(w), outputs a random input r for A which is consistent with w, y. Moreover, the 
choice of r should be “correctly distributed” in the sense that ( w , y, r) should be 
computationally indistinguishable from (w, A(r/\),r/\) where t'a <— Ut(\ w \)- (Such 
a distributional inversion requirement is similar in spirit to the definition of a 
distributionally one-way function m 

Definition 1 (Inverse-Samplable Algorithm). We say that an efficient sam- 
pling algorithm A is inverse-samplable if there exists a PPT inverter algorithm A -1 
such that the distribution ensembles {ta <— U t{ M) : ( r Ai A(«>; ?'a))}*£{o,i}* and 
{rA E/|(| w |) : (A 1 (ry, A(ru; ta)), A(w; rA))}«,e{o,i}* are computationally indis- 
tinguishable. 


3 Invertible Sampling Hypothesis 

The Invertible Sampling Hypothesis (ISH) is concerned with the possibility of 
inverse-sampling arbitrary efficiently samplable distributions. It is easy to see 
that if one-way functions exist, then there are efficient sampling algorithms which 
are not inverse-samplable. Thus, we settle for the hope that for every efficient 
sampling algorithm A there exists an efficient and inverse-samplable algorithm 
B whose output is computationally indistinguishable from that of A. The ISH 
captures the above hope. We will also consider a weaker variant of ISH, referred 
to as weak ISH, which restricts the sampler A to have a unary input alphabet. 
This is formalized below. 

Hypothesis 1 (Invertible Sampling Hypothesis: ISH). For every efficient 
sampling algorithm A there exists an efficient sampling algorithm B satisfying 
the following two requirements. 
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1. Closeness: The distribution ensembles {A(ty)} lue {o,i}* an d {B(ty)} ll , e {o,i}* 
are computationally indistinguishable. 

2. Invertibility: B is inverse- samplable (see Definition QJ). 

Hypothesis 2 (Weak ISH). The weak ISH is defined exactly as ISH above, 
except that the inputs w for A and B are restricted to be unary (i.e., are of the 
form 1"). 

Clearly, ISH implies Weak ISH. The weaker flavor of ISH is somewhat more 
natural in that it refers to the traditional notion of a sampling algorithm (defining 
a single probability distribution for each length parameter n) as opposed to the 
more general notion of a probabilistic algorithm. Moreover, the weak ISH suffices 
for the motivating applications discussed in Sectional However, it turns out that 
the stronger flavor can be refuted under more standard assumptions and that 
ruling out this flavor suffices for obtaining our main negative result on adaptively 
secure MPC. Thus, in the following we will consider both variants of ISH. 

We will start (in Section by refuting the weak ISH assuming the existence of 
a strong variant of extractable one-way functions as well as NIWI proof systems 
for NP. We will then (Section EJ) refute the original and stronger variant of 
ISH under the weaker assumptions that standard extractable one-way functions 
(generalizing various “knowledge-of-exponent assumptions” from the literature) 
exist, as well as NIZK protocols for NP in the CRS model. At a high level, 
refuting the stronger flavor of ISH is easier because the additional “external” 
input allows us to introduce randomness over which the alternative sampler B 
has no control. This randomness can be used for choosing the CRS for a NIZK 
proof or random parameters for a family of extractable one-way functions. 

4 Conditional Refutation of Weak ISH 

As already discussed in the introduction, any pseudorandom generator G : 
{0, 1}" — > {0, l} 2n provides a nontrivial example of a sampling algorithm for 
which weak ISH holds. Indeed, if A(l") outputs G(rp() where Ta <— U n , then 
B(l") can simply output re where 7 'b *— U- 2 n - 

This example suggests that in order to provide a counterexample for the 
(weak) ISH, it does not suffice for the computation performed by the sampler to 
be one-way and for its output support to be sparse , but its output should also be 
verifiable (a feature missing in the aforementioned example). Jumping ahead, ver- 
ifiability will be achieved via variants of non-interactive zero-knowledge. It turns 
out that even the “sparseness” requirement needs to be significantly strengthened 
in order to rule out the possibility of directly sampling an output without know- 
ing a corresponding input. Classes of sparse one-way functions with a similar 
property were studied in under the umbrella of “knowledge assump- 

tions.” Crudely speaking, a knowledge assumption for a function f states that 
if any efficient algorithm A outputs a point in image(/), then the only way A 
could have computed this image is by choosing an x and computing f(x) (here 
it is necessary that image(/) be sparse). Thus the algorithm “knows” x. This is 
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formally captured by requiring the existence of an efficient algorithm that can 
extract x from A’s input and randomness. 

A brief outline of our refutation of weak ISH is as follows. Suppose a function 
/ is both “extractable” and one-way. Given an algorithm which produces valid 
points in image(/), if we can obtain the randomness that it used, then we can use 
/’ s “knowledge extractor” to find pre- images and thus break the one-wayness 
of /. However to obtain this randomness, we need the algorithm to be inverse- 
samplable. Since weak ISH hypothesizes the existence of such an algorithm we 
can invert / and contradict its one-wayness. 

Next, we formally prove that weak ISH is false assuming the existence of a 
strong notion of an Extractable One-Way Function (EOWF) and the assumption 
that Non-Interactive Witness Indistinguishable Proofs (NIWI) exist for all of NP. 

We start by defining the two primitives we rely on. An extractable one-way 
function is a one-way function / with the following extraction property: for any 
efficient A which, on random input r A , attempts to output an element y in the 
image of /, there is an efficient extractor Ka which given the random input r A 
of A succeeds in finding a preimage x e f~ 1 (y) with roughly the same success 
probability. Formally: 

Definition 2 (Extractable One-Way Function (EOWF)). Let f be a one- 
way function. We say that f is an extractable one-way function if for every PPT 
algorithm A with running time I(n) there is a PPT extractor algorithm Ka such 
that for every n: 

Pr[r A <- Ug( n y,y = A(l n ; r A ); x <- K A (l n ,r A ) : 

(f(x) =y)V fix', f(x') ± y)] > 1 - e(n) 

for some negligible function e. 

We note that the above definition appears stronger than similar definitions from 
the literature in that it requires f to be a single, explicit one-way function, as 
opposed to a keyed collection of functions. In particular, EOWF as above can not 
be instantiated using concrete knowledge assumptions from the literature such 
as the ones in fl9l4ld9j . However, it still seems plausible that (length-flexible 
versions of) practical cryptographic functions satisfy the above definition. In 
Section Q we will rely on a more standard notion of EOWF (which allows / to 
depend on a random key and captures previous assumptions from the literature) 
in order to refute the strong variant of ISH. 

Next we need the notion of non-interactive witness indistinguishable (NIWI) 
proof systems f 1 1291.41 )| . A NIWI proof is used to efficiently prove that an input 
x is in some NP-language L without allowing the verifier to distinguish between 
any two possible witnesses. While the latter witness indistinguishability property 
is weaker than the zero- knowledge property of NIZKs, it turns out that it is 
sufficient for our purposes. The important advantage of NIWI proofs is that they 
can be implemented (under stronger assumptions) without a trusted common 
reference string, which is inherently required for NIZK proofs. 
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Definition 3 (Non-Interactive Witness Indistinguishable Proof Sys- 
tem J2SIH2HS )• Let L be any NP language, and Rl a fixed witness relation 
for L. Then V = (P,V) is called a non-interactive witness indistinguishable 
(NIWI) proof system for Rl if P and V are PPT algorithms and the following 
conditions hold for some negligible function e: 

1. Completeness. For all ( x,w ) € Rl 

Pr[7r *— P(x,w ); b <— V(x,n) : b — 1] > 1 — e(|ac|) . 

2. Soundness. For all x 0 L, for all proof strings it* 

Pr[V{x,ir*) = l]<e{\x\). 

3. Witness Indistinguishability (WI). For every polynomial- size circuit family 
C n , and every x,wo,wi such that (x,wq) £ Rl and (x,wi) £ Rl, 

|Pr[q w (P0r,u;o)) = lj - Pr^Pfou*)) = 1]| < «(M). 

NIWI proofs exist for all of NP under well-studied assumptions . 

We now use the above two primitives to establish the main result of this 
section. 

Theorem 1. If EOWF exists and NIWI proofs exist for NP, then Weak ISH is 
false. 

Proof (sketch): Let / be an EOWF. We first define an efficient sampling algo- 
rithm A, which outputs two random points in image(/) and also a NIWI proof 
that at least one of the points was correctly computed. That is, the sampling 
algorithm picks random Xq, X\ <— (0, 1}" and outputs (f(xo), f(xi), tt), where tt 
is a NIWI proof that either f(x o) or /( xi) is in the image of /. More concretely, 
7r is obtained by running a NIWI prover for the NP relation defined by 

Rl((v o, 2/i ), w) = 1 iff /(to) = 2/o V f(w) = yi 

on input (f(xo),f(xi)) and witness xq. From Weak ISH, we obtain A’s invertible 
alternate sampling algorithm B and its inverter B -1 . By the soundness property 
of the NIWI proof, we are (essentially) ensured that the alternate sampler B 
outputs at least one valid point in the image of /. But then we can construct a 
new algorithm X that rims B and outputs at random one of the two images y\,. 

Now X is an algorithm that outputs (with significant probability) valid points 
in the image of /. Given that / is an EOWF, there must exist also an extractor 
Kx that given the random input of X outputs Xf, such that yb = f(xb). Using B -1 
to inverse-sample the random input of X and feeding it to Kx we can efficiently 
invert /, contradicting its one-wayness. See the full version for more details. □ 
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5 Conditional Refutation of ISH 

In this section we refute the main (strong) variant of ISH under weaker and more 
standard assumptions than those used to refute Weak ISH. 

We start by defining a relaxed notion of extractable one-way function which is 
similar to the notion of (non-interactively) extractable function family ensemble 
put forward by Canetti and Dakdouk |H)I11I18| . In contrast to the previous no- 
tion from Definition [21 the relaxed notion follows from previous concrete knowl- 
edge assumptions in the literature such as Damgard’s knowledge of exponent 
assumption m- 

Definition 4 (Function Family Ensemble). A function family, indexed by 
a key space K, is a set of functions F = {fkjkeK in which each function has the 
same domain and range. A function family ensemble, T = {F"}„ £ n, is defined 
as an ensemble of function families F n with key spaces {-K„} ne N- 

Definition 5 (One-Way Function Family Ensemble). A function family 
ensemble is one-way if: 

— fk can be evaluated (given l n , k £ K n , and x € domain(fk)) in time poly- 
nomial in n, and 

— for every polynomial- size circuit family C n there is a negligible function e 
such that for every n, 

Pr[k K n - x <- domain{f k )\ x' = C n ( l n , k, fk{x)) : f k {x') = f k {x )] < e(n). 

Definition 6 (Non-interactively Extractable One-Way Function 
Family Ensembles jlSl 1. We say that an one-way function family ensemble is 
non-interactively extractable (without auxiliary information) if for any efficient 
sampling algorithm A running in time £(ri) (with random input rA € f/^( n )j, 
there exists a PPT algorithm Ka and a negligible function e such that for all n: 

Pr[k <- K n -,r A <- U t ( n y,y = A(l n , k\ r A )] x <- K A {l n ,k,r A ) : 

(fk(x) = y) V (Va/, f k (x') ^y)\> 1 - e(n). 

The difference between the above notion of extractable one-way function family 
ensembles and the notion of EOWF from Definition [21 is that extraction is not 
guaranteed for all functions in the function family but only for a randomly chosen 
function (concretely, the first step k <— K n chooses a random function). Further- 
more, the process of picking the random function may use private randomness 
that is not available to the algorithm A. 

The above difference makes it possible to derive extractable one-way function 
family ensembles from existing knowledge assumptions in literature [ I !)IH 1 . 
As an example, the Knowledge of Exponent (KEA) Assumption m informally 
states that there exists an ensemble of groups {G n }neN where the discrete log- 
arithm problem is hard to solve and any PPT adversary A that on input g, w 
can compute a pair of the form ( g r ,w r ) must know r, in the sense that there 
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exists an efficient extractor Ka which given the random input of A can compute 
r. Mapping this example to Definition El the key space is K n = G n X G n and 
the function fk with k = (w, g) is defined by fk(r) = (w r ,g r ). 

Next, we replace the previous NIWI primitive with non- interactive zero knowl- 
edge (NIZK) proofs in the common reference string (CRS) model |bl41 II . We 
omit the (standard) definition of NIZK, but note that the assumptions on which 
NIZK proof systems for NP can be based are significantly more general than 
the corresponding assumptions for NIWI, and include the existence of trapdoor 
permutations M 

We are now ready to state the main theorem of this section. 

Theorem 2. If non-interactively eoctractable one-way function family ensembles 
exist and NIZK proof systems exist for NP, then ISH is false. 

Proof (sketch): The proof follows the same outline as the one from Theorem |T] 
but the use of NIZK instead of NIWI allows it to take a somewhat simpler form. 
Let T be a non-interactively extractable one-way function family ensemble. We 
first define an efficient sampling algorithm A whose inputs are pairs of strings 
( k , <t): k is a key from the key space of T and u is a uniformly random string to 
be used as a CRS for a NIZK proof system. A outputs a random image of fk and 
a NIZK proof (under a) that the output is valid. Let B be the alternate invertible 
sampler hypothesized by ISH. Due to the soundness of the NIZK proof system, 
B outputs valid images of fk when cr is chosen uniformly at random. Since T 
is extractable, we can use B, its extractor Kb and its inverter B -1 to construct 
an efficient inversion algorithm for the family ensemble IF, contradicting its one- 
wayness property. See the full version for details. □ 

6 Applications of ISH 

While our main motivation for studying ISH is its relevance to adaptively secure 
MPC (discussed later in Section EJl we start by presenting two other consequences 
of (weak) ISH. In order to avoid any confusion, we remind the reader that in 
the previous sections we disproved ISH under some specific computational as- 
sumptions. However, as we couldn’t disprove ISH unconditionally (or even under 
standard cryptographic assumptions), it is still interesting to investigate the con- 
sequences of ISH in order to put ISH in the proper cryptographic context and 
to further motivate our study. 

PKE and OT: As a first consequence, we note that if ISH holds, this would 
settle the question of the relationship between public key encryption (PKE) and 
oblivious transfer (OT), as studied in j2S|. 

Theorem 3. If ISH holds, then the existence of semantic secure PKE implies 
the existence of an oblivious transfer protocol. 
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Proof (sketch): The proof follows by considering a protocol for 5 -OT similar 
in spirit to the EGL protocol | 22 |, where the receiver samples one public key 
with the key generation algorithm (thus learning the secret key), and the other 
using the alternate inverse-samplable algorithm, as described in ISH. Receiver’s 
security loosely follows from the closeness property of ISH, while sender security 
can be deduced by the semantic security of the PKE scheme. See the full version 
for details. □ 

Assumptions for UC-secure computation: A systematic study of the minimal 
setup and computational assumptions for UC-secure computation has been re- 
cently undertaken in EH- A question that the authors left open is whether the 
existence of stand-alone oblivious transfer (SA-OT) is a necessary assumption 
for UC-secure oblivious transfer (UC-OT) in the common reference string (CRS) 
model, where the string is sampled from an arbitrary distribution. If ISH holds, 
one could answer this question affirmatively. To show that SA-OT is necessary 
for UC-OT we will show how to construct a protocol for SA-OT assuming that 
UC-OT in the CRS model exists. Intuitively we need to generate a CRS to make 
the protocol work, but we don’t want any party to learn the corresponding trap- 
door. Unfortunately, we cannot let the parties use MPC in order to generate this 
CRS, since unconditional MPC is impossible, and we cannot assume that OT 
exists (or any equivalent computational assumption). But if ISH holds, there is a 
way of sampling any CRS without learning the trapdoor by using the invertible 
sampler, after which parties can run the UC-OT with respect to this CRS. Also 
note that we don’t need this fake CRS to be distributed exactly as the real CRS, 
but just computationally close: if the UC-OT protocol works with the real CRS 
but not with the fake CRS, it could be used as a distinguisher, thus violating 
ISH. Standard compilation techniques can be used to turn this protocol into a 
protocol secure against a malicious adversary. 

7 Adaptive Security and ISH 

In this section we show that our strong variant of ISH (Hypothesis [1} is closely 
related to secure multi-party computation with security against adaptive adver- 
saries ( adaptive MPC or AMPC for short). We first show that if all randomized 
functionalities admit AMPC protocols, then ISH is true. Combined with The- 
orem El this gives the first strong evidence that general AMPC is impossible. 
Then, we proceed to show that if ISH is true and all the parties are mutually 
connected with OT-channels0 then general AMPC is possible - thus showing 
that ISH is essentially equivalent to general AMPC. 

As discussed in the introduction, our results apply to a wide range of AMPC 
models from the literature. For convenience, we will refer to the two-party semi- 
honest model, under the definition of |E| which requires security against post 
execution corruption (PEC). The latter means that after the execution is com- 
plete, the environment can ask the adversary to corrupt additional parties. The 

2 Our use of ideal OT can be replaced by any adaptively secure OT protocol, which 
can be based on standard cryptographic assumptions. 
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PEC requirement is needed to prove sequential composition of adaptively secure 
protocols, and is implied by most other definitions of adaptive security from the 
literature (such as adaptive UC-security). Our negative result does not hold for 
adaptively secure protocols without PEC (since in the semi-honest two-party 
case, security in this model is equivalent to non-adaptive security El)- 

Brief Preliminaries. This section is an informal introduction to (adaptively se- 
cure) MPC protocols. In an MPC protocol, adaptive security implies that an 
adversarial entity can adaptively choose the parties he wants to corrupt at any 
point in the protocol. An adversary is semi-honest if the parties that he corrupts 
always follow the prescribed protocol. His goal is to try and obtain as much in- 
formation as possible under this constraint. Security against such adversaries is a 
basic requirement for any cryptographic protocol. An ideal model of security for 
MPC protocols is one in which there exists a trusted third party who (via secure 
private channels) receives all the inputs from the participants of the protocol 
and sends back their respective outputs. Semi-honest adversaries in this model 
can only learn the input and output of the parties that he corrupts. Considering 
this as a basis for security, in the ideal-real model of jH|, a real world protocol 
for MPC is secure if for every adversary A in the real execution, there exists an 
ideal world adversary S (also known as the simulator), such that the outputs of 
A and S are computationally indistinguishable. We refer the reader to jHI.'Uij for 
a more precise definition of this notion. 


7.1 Adaptively Secure MPC Implies ISH 

First we show that if AMPC protocols exist for every functionality T , then ISH 
(Hypothesis [Q is true. 

Theorem 4. If for every PPT functionality T there exists a protocol II that 
securely realizes T against an adaptive semi-honest adversary (with PEC), then 
ISH is true. 

Proof (sketch): Consider a two-party randomized functionality T that takes 
input from both parties and uses some internal coins and compute some function 
A. Now if there exist a protocol n between Pi , P 2 that securely implements P, 
in particular the following two conditions will be satisfied: 1) The output of 
the protocol n and the functionality P are computationally close (because the 
protocol is correct ); 2) There exist a simulator S that can explain the randomness 
used by P\,Pi in n to produce the output z, without access to the functionality 
random tape r^. Therefore we can use the protocol and the simulator (7 r, S) as 
a foundation to build the inverse-samplable algorithm B, B _1 that satisfy the 
requirement of ISH. The inverse-samplable algorithm B can be constructed by 
simulating a run of the protocol 7r between Pi and P 2 “in the head” , while the 
inverter B -1 will run the simulator S as a subroutine. See the full version for 
more details. □ 
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7.2 ISH Implies Adaptively Secure MPC 

In the previous section we showed that AMPC implies ISH. Now we show that 
the converse is true too. 

To make the result stronger, we will show that ISH implies the strongest 
variant of MPC i.e., multiparty computation secure against an active, adaptive 
adversary in the universally composable security framework (UC-AMPC). Given 
that UC computation is impossible in plain model, we look at the OT-hybrid 
model where it is possible to evaluate adaptively well-formed functionalities d, 
and we show how ISH would allow us to extend this result to all functionalities. 
We refer the reader to 0 for the definition of UC-AMPC. We look at adaptive 
security, where the adversary A can corrupt any of the two parties P\ , P-2 at any 
point during the protocol 7 r. 

Theorem 5. If ISH holds, then active secure UC-AMPC is possible for any 
functionality in the UC-OT hybrid model. 

Proof (sketch): It is known that any deterministic functionality can be securely 
implemented in the OT-hybrid model [35l34j . Using the UC composition theorem 
and ISH we extend the result for randomized functionalities. 

Consider a general randomized functionality (z-\ . z-f) *— P{x. y. p), where p 
is the private randomness of T , (x, zi ) the input/output of Pi, and (y, z-2) the 
input/output of P2. Let Zi = fi(x,y;p). Then from Strong ISH we know that 
there exist /(, ff 1 , the alternative sampler and the inverter. 

Now define a new, deterministic functionality Q as (z\ , z-2) = G((x. pi), (y. P2)), 
where z 7 ; = f'fx, y: p\®p\), and where /' is the alternative sampler for /*. Being 
a deterministic functionality, Q can be securely realized with adaptive security 
in the OT-hybrid model. 

Now the protocol to implement T in the (/-hybrid model proceeds as follows. 
Party P, picks pi at random, feeds it into Q together with its input, and waits to 
receive the output. Note that the protocol does not exactly compute the required 
functionality /, but /'. The indistinguishability requirements of ISH imply that 
the output of / and of f are indistinguishable too, and that suffices for UC- 
computation. This protocol can be shown to be UC-secure, see the full version 
for more details. □ 
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Abstract. Bit-decomposition, which is proposed by Damgard el al., is 
a powerful tool for multi-party computation (MPC). Given a sharing of 
secret a, it allows the parties to compute the sharings of the bits of a 
in constant rounds. With the help of bit-decomposition, constant-rounds 
protocols for various MPC problems can be constructed. However, bit- 
decomposition is relatively expensive, so constructing protocols for MPC 
problems without relying on bit-decomposition is a meaningful work. 
In multi-party computation, it remains an open problem whether the 
modulo reduction problem can be solved in constant rounds without bit- 
decomposition. 

In this paper, we propose a protocol for (public) modulo reduction 
without relying on bit-decomposition. This protocol achieves constant 
round complexity and linear communication complexity. Moreover, we 
show a generalized bit-decomposition protocol which can, in constant 
rounds, convert the sharing of secret a into the sharings of the digits of 
a, along with the sharings of the bits of every digit. The digits can be 
base-m for any m > 2. 

Keywords: Multiparty Computation, Constant-Rounds, Modulo Re- 
duction, Generalization to Bit-Decomposition. 


1 Introduction 

Secure multi-party computation (MPC) allows the computation of a function / 
when the inputs to / are secret values held by distinct parties. After running the 
MPC protocol, the parties obtains only the predefined outputs but nothing else, 
and the privacy of their inputs are guaranteed. Although generic solutions for 
MPC already exist |211U| . the efficiency of these protocols tends to be low. So 
we focus on constructing efficient protocols for specific functions. More exactly, 
we are interested in integer arithmetic in the information theory setting m 

* Supported by the National Natural Science Foundation of China under Grant No. 
60873232. 

** Corresponding author. 

M. Abe (Ed.): ASIACRYPT 2010, LNCS 6477, pp. 483 f-500,| 2010. 

© International Association for Cryptologic Research 2010 


484 C. Ning and Q. Xu 


A proper choice of representation of the inputs can have great influence on the 
efficiency of the computation [ZEES- For example, when we want to compute the 
sum or the product of some private integer values, we’d better represent these 
integers as elements of a prime field Z p and perform the computations using an 
arithmetic circuit as additions and multiplications are trivial operations in the 
field. If we use the binary representation of the integers and a Boolean circuit to 
compute the expected result, then we will get a highly inefficient protocol as the 
bitwise addition and multiplication are very expensive [4l5j . On the other hand, 
if we want to compare some (private) integer values, the binary representation 
will be of great advantage as comparison is a bit-oriented operation. In this case, 
the arithmetic circuit over Z p will be a bad choice. 

To bridge the gap between the arithmetic circuits and the Boolean circuits, 
Damgard et al. [Zj proposed a novel protocol, called bit-decomposition, to con- 
vert a sharing of secret a into the sharings of the bits of a. This protocol is very 
useful both in theory and application. However, the bit-decomposition protocol 
is relatively expensive in terms of round and communication complexities. So the 
work on constructing (constant-rounds) protocols for MPC problems without re- 
lying on bit-decomposition is not only interesting but also meaningful. Recently, 
in|E|, Nishide et al. constructed more efficient protocols for comparison, interval 
test and equality test of shared secrets without relying on the bit-decomposition 
protocol. However, it remains an open problem whether the modulo reduction 
problem can be solved in constant rounds without bit-decomposition [T7| . In 
this paper, we show a linear protocol for the (public) modulo reduction prob- 
lem without relying on bit-decomposition. What’s more, the bit-decomposition 
protocol of j2j can only de-composite the sharing of secret a into the sharings of 
the bits of a. However, especially in practice, we may often need the sharings of 
the digits of a. Here the digits can be base-ra for any m > 2. For example, in 
real life, integers are (almost always) represented as base-10 digits. Then, MPC 
protocols for practical use may often require the base-10 digits of the secret 
shared integers. Another example is as follows. If the integers are about time 
and date, then base-24, base-30, base-60, or base-365 digits may be required. So, 
to meet these requirements, we propose a generalization to bit-decomposition in 
this paper. 

1.1 Our Contributions 

First we introduce some necessary notations. We focus mainly on the multi-party 
computation based on linear secret sharing schemes. Assume that the underlying 
secret sharing scheme is built in field Z p where p is a prime with bit-length l (i.e. 
I = [~ log p] ) . For secret a £ Z p , we use [o] p to denote the secret sharing of a, and 
[a]s to denote the sharings of the bits of a, i.e. [a]s = ([<b-i] p , ..., [ai] p , [ao] p )- 

The public modulo reduction problem can be formalized as follows: 

[x mod m\ p <— Modulo — Reduction([x] p ,m) 
where x £ Z p and m £ {2, 3, 1}. 
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In existing public modulo reduction protocols mm, the bit-decomposition 
is involved, incurring 0(1 log l ) communication complexity. What’s more, in the 
worst case, the communication complexity of this protocol may go up to 0(l 2 ). 
Specifically, the existing modulo reduction protocol uses the bit-decomposition 
protocol to reduce the “size” of the problem, and then uses up to l compar- 
isons, which is non-trivial, to determine the final result. This is essentially an 
“exhaustive search” . If the bit-length of the inputs to the comparison protocol 
is relatively long, e.g. 0(1) which is often the case, the overall complexity will go 
up to 0(l 2 )- So, the efficiency of the protocol may be very poor. To solve this 
problem, we propose a protocol, which achieves constant round complexity and 
linear communication complexity, for public modulo reduction without relying 
on bit-decomposition. Besides this, we also propose an enhanced protocol that 
can output the sharings of the bits of x mod m, i.e. [a; mod m] g ■ 

Moreover, we also construct a generalized bit-decomposition protocol which 
can, in constant rounds, convert the sharing of secret a into the sharings of 
the digits of a, along with the sharings of the bits of every digit. The digits 
can be base-m for any m > 2. We name this protocol the Base-m Digit-Bit- 
Decomposition Protocol. The asymptotic communication complexity of this pro- 
tocol is 0(1 log /). Obviously, when m is a power of 2, this protocol degenerates 
to the bit-decomposition protocol. 

For illustration, we will show an example here. Pick a binary number 
a = (11111001)2 = 249. 

If [a] p is given to the bit-decomposition protocol as input, it outputs 
Mb = «1] P , [1] P , [1] P , [1] P , [1] P . [0] P , [0] p , [Up); 
if [a] p and m = 2 (or m = 4,8,16,32,...) are given to our Base-m Digit-Bit- 
Decomposition protocol as inputs, it will output the same result with the bit- 
decomposition protocol above; however, when [a] p and m = 10 are given to our 
Base-m Digit- Bit- Decomposition protocol, it will output 

(Mb, Mb, Mb) = (([%, M p , M p , M p ), ([0] p , [l] p , [0] p) [0] p ), ([l] p , [0] p , [0] p , [l] p )) 

which is significantly different from the output of bit-decomposition. 

We also propose a simplified version of the protocol, called Base-m Digit- 
Decomposition Protocol, which outputs ^[2] p , [4] p , [9] p ^ when given [a] p and to = 
10 as inputs. 

Finally, we strongly recommend the interested readers to read m which is 
the full version of this paper. Many of the details are omitted in the present 
paper due to space constraints. 

1.2 Related Work 

The problem of bit-decomposition is a basic problem in MPC and was partially 
solved by Algesheimer et al. in |I]. However, their solution is not constant-rounds 
and can only handle values that are noticeably smaller than p. Damgard et al. 
proposed the first constant-rounds (full) solution to the problem of 
bit-decomposition in [Zj. This ice-break work is based on linear secret sharing 
schemes EM- Independently, Shoenmakers and Tuyls [T2| solved the problem 
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of bit-decomposition for multiparty computation based on (Paillier) threshold 
homomorphic cryptosystems EH! Somewhat surprisingly, Nishide and Ohta pro- 
posed solutions for comparison, interval test and equality test of shared secrets 
without relying on bit-decomposition m Their techniques are novel, and have 
enlightened us a lot. Recently, Toft showed a novel technique that can reduce the 
communication complexity of bit-decomposition to almost linear P^8 . Although 
we do not focus on the “almost linear” property of protocols, some techniques 
proposed in their paper are so inspiring and enlightening to us. In a followup 
work, Reistad and Toft proposed a linear bit-decomposition protocol m How- 
ever, the security of their protocol is non-perfect. 

As for the problem of modulo reduction (without bit-decomposition) , Guaj ardo 
et al. proposed a partial solution to this problem in the threshold homomorphic 
setting 0. In 0, Catrina et al. dealt with the non-constant-rounds private mod- 
ulo reduction protocol with the incomplete accuracy and statistical privacy in the 
setting where shared secrets are represented as fixed-point numbers. 

2 Preliminaries 

In this section we introduce some important notations and some known primi- 
tives which will be frequently mentioned in the rest of the paper. 


2.1 Notations and Conventions 

The multiparty computation considered in this paper is based on linear secret 
sharing schemes, such as Shamir’s HE- As mentioned above, we denote the 
under lying field as 7L V where p is a prime with binary length l. 

As in previous works, such as 0 and na, we assume that the underlying secret 
sharing scheme allows to compute [a + b mod p] p from [a] p and [b] p without 
communication, and that it allows to compute [ ab mod p\ p from (public) a G 
Z p and [b] p without communication. We also assume that the secret sharing 
scheme allows to compute [ab mod p] p from [a] p and [b] p through communication 
among the parties. We call this procedure the multiplication protocol. Obviously, 
for multiparty computation, the multiplication protocol is a dominant factor of 
complexity as it involves communication. So, as in previous works, the round 
complexity of the protocols is measured by the number of rounds of parallel 
invocations of the multiplication protocol, and the communication complexity 
is measured by the number of invocations of the multiplication protocol. For 
example, if a protocol involves a multiplications in parallel and then another b 
multiplications in parallel, then we can say that the round complexity is 2 and 
the communication complexity is a + b multiplications. We have to say that the 
complexity analysis made in this paper is somewhat rough for we focus mainly 
on the ideas of the solution, but not on the details of the implementation. 

As in HE* when we write [ C } p , where C is a Boolean test, it means that 
C G {0, 1} and C = 1 iff C is true. For example, we use [x < y\ p to denote the 
output of the comparison protocol, i.e. (x < y) = 1 iff x < y holds. 
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For the base m £ {2,3, 1}, define L(m) = [ log m] . It is easy to see that 

we should use L(m) bits to represent a base-m digit. For example, when m = 10, 
we have L(m) = [log 10] = 4, this means we must use 4 bits to represent a base- 
10 digit. Notice that we have 2 L ("d -1 < m < 2 L ( m ) and m = 2 L ( m ) holds iff m 
is a power of 2. Moreover, we have L(m) < l as m < p — 1. 

Define lf rn) = [log m p] . Obviously, l (jn> is the length of p when p is coded 
base-m. Note that l ( - m ' ) = [log m p] = f"^^j = [pprpr"| < l as m > 2. 

For any a £ Z p , the secret sharing of a is denoted by [a] p . We use [a] B to 
denote the bitwise sharing of a. 

We use [o]jg = ([a^m)^]™, ..., [oi]”, [no]™) to denote the digit-wise sharing 
of a. For i £ {0, 1, ..., lS m> — 1}, [o n ] r p denotes the sharing of the i'th base-m digit 
of a with 0 < a* < (m — 1). 

The digit-bit-wise sharing of a, which is denoted by [a]^ B , is defined as below: 

H D,B = (h<m)-i]g, •••, [o-iYb, [o-oYb) i 

in which [oj]jg = ([af‘ ..., [a\] p , ( i & {0, 1, ..., — 1}) denotes the 

bitwise sharing of the i'th base-m digit of a. Note that [a,-i]‘ B has L(m) bits. 

Sometimes, if m can be inferred from the context, we may write [a,] (or 
[ai] B ) as [ai] p (or [aj] B ) for simplicity. 

In this paper, we often need to get the digit-wise representation or the digit- 
bit-wise representation of some public value c, i.e. [c]]g or [c]' B B . This can be 
done freely as c is public. 

It’s easy to see that if we have obtained [x]b, then [x] p can be freely obtained 
by a linear combination. We can think of this as [x]b contains “more information” 
than [x] p . For example, if we get [a] BB = ([ a K m '>-i\B > •••> [ a i]s; [ a o]s)) then 
[a]S = ([ a i( m )-i]jT) — > [ a i]”> [ a o]™) i s implicitly obtained. In protocols that can 
output both [x]b and [x] p , which is often the case in this paper, we always omit 
[x] p for simplicity. 

Given [c] p , we need a protocol to reveal c, which is denoted by c <— reveal([c] p ). 

When we write command C <— 6? A : B, where A, B, C £ 7L p and b £ {0, 1}, 
it means the following: 

if b = 1, then C is set to A; otherwise, C is set to B. 

We call this command the conditional selection command. When all the variables 
in this command are public, this “selection” can of course be done. When the 
variables are shared or even bitwise shared, this can also be done. Specifically, 
the command 

[C\p - [b]M P : [B] p 

can be realized by setting 

[C\ p *— [b]p([^4]p — [B]p) + [B\ p 
which costs 1 round and 1 multiplication; the command 
[C\s - : \B] b 
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can be realized by the following procedure: 


For i = 0, 1, l—l in parallel: [Cj] p <— [Z>] P ([A;] P — [B*] p ) + [Bi] p 
[C\b - ([Q-l) p , [Cr] pl [C 0 ] p ) >\A\ = \B\ = \C\ = l 

Note that the above procedure costs 1 round, Z invocations of multiplication. 
Other cases, such as [C]™ <— [Z>] p ?|A]g : [B]^ and [C^b <— : 

[B] r fj n can be realized similarly. We will frequently use this conditional selection 
command in our protocols. 

2.2 Known Primitives 

We will now simply introduce some existing primitives which are important 
building blocks of this paper. All these primitives are proposed in 0. 
kRandom-Bit. The Random-Bit protocol is the most basic primitive which 
can generate a shared uniformly random bit unknown to all parties. In the linear 
secret sharing setting, which is the case in this paper, it takes only 2 rounds and 

2 multiplications. 

▲ Bitwise-Less Than. Given two bitwise shared inputs [a;] b and [y] b , the Bitwise- 
Less Than protocol can compute a shared bit [x<y] p . We note that using the 
method of |XB| , this protocol can be realized in 6 rounds and 13/ + 6-\/Z multipli- 
cations. Notice that 13/ + 6 \fl < 14/ holds for Z > 36 which is often the case in 
practice. So, for simplicity, we refer to the complexity of this protocol as 6 rounds 
and 14/ multiplications. 

k Bitwise- Addition. Given two bitwise shared inputs, \x\b and [y\s, the Bitwise- 
Addition protocol outputs [x + y]B- An important point of this protocol is that 
d = x + y holds over the integers, not (only) mod p. This protocol, which costs 
15 rounds and 47/ log / multiplications, is the most expensive primitive of the bit- 
decomposition protocol of jZj • We will not use this primitive in this paper, but use 
Bitwise-Subtraction instead. However, the asymptotic complexity of our Bitwise- 
Subtraction protocol is the same with that of the Bitwise- Addition since they both 
involve a generic prefix protocol which costs 0(1 log /) multiplications. We will in- 
troduce our Bitwise- Subtraction protocol later. 

3 A Simple Introduction to Our New Primitives 

In this section, we will simply introduce the new primitives proposed in this 
paper. We will only describe the inputs and the outputs of the protocols, along 
with some simple comments. All these new primitives will be described in detail 
in Sectional 

•Bitwise- Subtraction. The Bitwise-Subtraction protocol accepts two bitwise 
shared values [x]b and [y]s and outputs [x — y]n- This protocol is in fact first 
proposed in m and is re-described (in a widely different form) in this paper. In 
our protocols, we only need a restricted version (of Bitwise- Subtraction) which 
requires x > y. A run of this restricted protocol is denoted by 
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[x — u\b *— Bitwise — Subtraction* {[x] B , [j/]b). 

It costs 15 rounds and 47ZlogZ multiplications. 

•BORROWS. This protocol is used as a sub-protocol in the Bitwise- Subtraction 
protocol above to compute the borrow bits (as well as in the Bitwise- Subtraction* 
protocol). Given two bitwise sharings [x]b and [y\ n , this protocol outputs 
•••> [h ] P , Np) «- BORROW S([x] B , [y] B ) 
where [bi] p is the sharing of the borrow bit at bit-position i G {0. 1 . .... Z — 1}. 

•Random-Digit-Bit. Given m 6 {2,3 1} as input, the Random-Digit- 
Bit protocol outputs 

[d]g = ..., [cZ 1 ]^, [d°] p ^ <— Random — Digit — Bit(m) 

where d G {0, 1, ..., m— 1} represents a base-ra digit. Notice that [d\™ is implicitly 
obtained. The complexity of this protocol is 8 rounds and 16L(m) multiplica- 
tions. 

• Digit-Bit- wise-LessThan. The Digit-Bit-wise-LessThan protocol accepts two 
digit-bit- wise shared values [x] BB and [y} r B B and outputs 

[x < y\ p <— Digit — Bit — wise — LessThan([x] B B , [y] B B ). 

The complexity of this protocol is 6 rounds and 14Z multiplications. 

•Random- Solved- Digits- Bits. Using the above two primitives as sub-protocols, 
we can construct the Random-Solved-Digits-Bits protocol which, when given rn £ 
{2, 3, ..., p — 1} as input, outputs a digit-bit- wise shared random value [r] B B sat- 
isfying r <p. We denote a run of this protocol by 

Md b Random — Solved — Digits — Bits(m). 

This protocol takes 14 rounds and 312Z multiplications. 

•Digit- Bit-wise- Subtraction. This protocol is a novel generalization to the 
bitwise subtraction protocol and is very important to this paper. It accepts two 
digit-bit- wise shared values [x) r B B and [y] B ,B an d outputs [ x — y] B , B - Again, in 
this paper, we need only a restricted version which requires x > y. A run of this 
restricted protocol is denoted by 

[x — y] B B Digit — Bit — wise — Subtraction* ([ x]™ B , [y] B B ). 

This restricted protocol costs 30 rounds and 47ZlogZ + 47Zlog (L(rn)) multiplica- 
tions. What’s more, if we don’t need [x — y] BB but (only) need [x — y]™ instead, 
then this restricted protocol can be (further) simplified. We denote a run of this 
(further) simplified protocol by 

[x — y] B <— Digit — Bit — wise — Subtraction*- ([x] B B , [y] B B ). 

The complexity of this protocol goes down to 21 rounds and 16Z+47Z (m) log (l (rn ' 1 ) 
multiplications. 

With the above primitives, we can construct our Modulo-Reduction protocol 
and Base-m Digit-Bit-Decomposition protocol, which will be described in detail 
separately in Section 0 and Section 0 
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4 Multiparty Computation for Modulo Reduction 
without Bit-Decomposition 

In this section, we give out our (public) Modulo-Reduction protocol which is real- 
ized without relying on bit-decomposition. This protocol is constant-rounds and 
involves only 0(1) multiplications. Informally speaking, our Modulo- Reduction 
protocol is essentially the Least Significant Digit Protocol and is a natural gen- 
eralization to the Least Significant Bit Protocol (i.e. the LSB protocol) in [12. 
Recall that for an integer a, the sharing of the least significant base-m digit of a 
is denoted by [aoj™, and the bitwise sharing of the least significant base-m digit 
of a is denoted by [a$§. The protocol is described in detail in Protocol 1. 


Protocol 1. The modulo reduction protocol, Modulo — Reduction (•), for com- 
puting the residue of a shared integer modulo a public integer. 


Input: [a:] p with x G Z p and m G {2,3, ...,p — 1}. 

Output: [ x mod m] p . 

Process: 

MS b Random — Solved — Digits — Bits(m ) 

c «— reveal([x] p + MS,b) >Note that MS,b implies [r]™. (l.a) 

[M™ <- M™ - MS > MS im P lies Mr 

[M™ <- [c 0 j™ - MS + m 

[s] p <— Bitwise — LessThan([co] B , MS) (l.b) 

[X]™ <— [s] p ?[X 2 ]™ : [Xi]S >A conditional selection command. 

S <— c + p t> Addition over the integers. 

[MS MolS — I r o]S 

\ X 2 \p Mo IS - I r o]S + m 

[s'jp <— Bitwise — LessThan^c^g , MS) ^‘ c ) 

[MS ^ wm? ■■ [MS 

[t] p <— Digit — Bit — wise — LessThan([c]p B , [r] S B ) (l.d) 

[x mod m]p = [MS ^ \tW\7 ■■ MS 

Return [ x mod m] p 


Correctness: By simulating a base-m addition process, the protocol extracts 
[MS wliich is just [a; mod m] p . See [TT3 for the details. 

Privacy: The only possible information leakage takes place in line (l.a), where 
a reveal command is involved. However, the revealed value, i.e. c, is uniformly 
random, so it leaks no information about the secret x. So the privacy is guaranteed. 

Complexity: Complexity comes mainly from the invocations of sub-protocols. 
Note that the two invocations of Bitwise-LessThan and the invocation of Digit- 
Bit-wise-LessThan can be scheduled in parallel. In all it will cost 22 rounds and 
312/ + 14L(m) + 1 + 14L(m) + 1 + 14/ + 1 = 326/ + 28L(m) + 3 
multiplications. Recall that L(m ) < /, so the communication complexity is upper 
bounded by 354/ + 3 multiplications. 
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The original modulo reduction problem does not require the sharings of the 
bits of the residue, i.e. [x mod m] b ■ So in the above protocol, [x mod to]b is 
not computed. However, if we want, we can get [x mod to] n using an enhanced 
version of the above Modulo-Reduction protocol. This enhanced protocol will be 
denoted by Modulo — Reduction^ (•). The construction is seen as Protocol 2. 


Protocol 2. The enhanced modulo reduction protocol, Modulo— Reduction ^ (•), 
for computing the bitwise shared residue of a shared integer modulo a public 
integer. 


Input: [x] p with igZ p and m £ {2,3, — 1}. 

Output: [x mod to]b- 
Process: 

MS b Random — Solved — Digits — Bits(m) 
c *- reveal([x] p + [r\^ B ) 

WiYb *-*• [ c 0 Yb [<?i]b Ns 

[M-tfg <— [co + m] B [S2 \b [j'o Yb > Addition over the integers. 

[s] p <— Bitwise — LessThan([co ] B , [ro]^) 

[M] b <— [s] p ?[M 2 ] B : convolving L(m) multiplications. 

[^]s [s] p ?[S2]b : [<Si]b 

[%YS ' Ko Yb [S'iXb MS 

[M^I'b [Cq + to] b [S^Ib Nb 

[s'] p <— Bitwise — LessThan^d^B, [ro ] b) 

[M'\b - WIMb 

E’S'Ib : [ S[]b 

[t] p <— Digit — Bit — wise — LessThan(c, [r] B B ) 

[M]g <— [t] p ?[M']g : [M\g >M is the minuend. 

[S]S <— [t]p?[<§ , ]g : [<5]g >S is the subtrahend. 

[x mod to]b = [xo]b Bitwise — Subtraction* ([M]^ , [S'Jg) 

Return [x mod to]b 

The correctness and privacy of this protocol can be proved similarly to the 
Modulo-Reduction protocol above. By carefully selecting the Minuend and the 
Subtrahend, we can get the expected result by using only one invocation of 
the Bitwise-Subtraction* protocol. The overall complexity of this protocol is 37 
rounds and 

326/+28L(m)+47L(m) log(L(m))+6 L(m) = 326l+34L(m)+47L(m) log (L(m)) 
multiplications. 

5 A Generalization to Bit-Decomposition 

In this section, we will propose our generalization to bit-decomposition, i.e. 
the Base-m Digit-Bit-Decomposition protocol. The details of this protocol are 
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presented in Protocol 3. The main framework of this protocol is similar to the 
bit-decomposition protocol of Pi- 


Protocol 3. The Base-m Digit-Bit-Decomposition protocol, 

Digit — Bit — Decomposition^, to), for converting the sharing of secret x into 
the digit-bit-wise sharing of x. 

Input: [x] p with x G Z p and the base to G {2,3, ...,p— 1}. 
Output: [x] B B 

Process: 

MS b Random — Solved — Digits — Bits(m ) 
c <— reveal{[x] p + Mjd,b) 

(3. a) 

c' «— c T p 

[t] p *— Digit — Bit — wise — LessThan([c\ B B , [r]S b) 

(3-b) 

[c]d,b = Wp^MIab : M D,B > N °te that c = x + r 

NS b Digit — Bit — wise — Subtraction* ([c\ B B , [r] B B ) 

(3-c) 

Return NSb 



Correctness is described in detail in PI Privacy is straightforward. The over- 
all complexity of this protocol is 14 + 6 + 30 = 50 rounds and 

312/ + 14/ + (47/ log l + 47 / log (L(m))) = 326/ + 47/ log / + 47/ log (L(m)) 
multiplications. The communication complexity is upper bounded by 326/ + 
94/ log / multiplications as L(m) < /. 

If we do not need [x\™ B but (only) need [x] B instead, then the above proto- 
col can be simplified. The method is to replace the Digit-Bit-wise-Subtraction* 
protocol with the Digit-Bit-wise-Subtraction*- protocol. We call this simplified 
protocol the Base-m Digit- Decomposition Protocol, a run of which is denoted by 
Digit — Decomposition^ , m). The correctness and privacy of this protocol can 
be similarly proved. The complexity goes down to 14 + 6 + 21 = 41 rounds and 
312/ + 14/ + (16/ + 47 /("*) log (/( m >)) = 342/ + 47 /("*) log (/< m )) 
multiplications. Recall that l l ' rn> = \ log m p] < /, so the communication complex- 
ity is upper bounded by 342/ + 47/ log / multiplications. 

6 Realizing the Primitives 

In this section, we will describe in detail the (new) primitives which are essential 
for the protocols of our paper. Informally, most of the protocols in this section 
are generalized version of the protocols of 0 from base-2 to base-m for any 
m > 2. It will be seen that, when m is a power of 2, some of our primitives 
degenerate to the existing primitives in 0 . So, in the complexity analysis, we 
focus on the case where to is not a power of 2, i.e. to < 2 L ( rn \ 

6.1 Bitwise- Subtract ion 

We describe the Bitwise- Subtraction protocol here. In fact, this protocol is al- 
ready proposed in m- They reduced the problem of bitwise-subtraction to 
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the Post-fix Comparison problem. Here, we re-consider the problem of bitwise- 
subtraction and solve it in a (highly) similar manner to the Bitwise-Addition 
protocol of jZj. 

As is mentioned in Section 0 we will first propose a restricted ( bitwise- 
subtraction ) protocol, Bitwise- Subtraction* , which requires that the minuend 
is not less than the subtrahend. We will only use this restricted version in this 
paper. The general version without the above restriction can be realized with 
the help of the Bitwise- Less Than protocol. See for the details. Given a 
BORROWS protocol that can compute the sharings of the borrow bits, the 
Bitwise-Subtraction* protocol can be realized as in Protocol 4. 


Protocol 4. The restricted bitwise-subtraction protocol, 

Bitwise — Subtraction* (•), for computing the bitwise sharing of the difference 
between two bitwise shared values. This protocol requires that the minuend is 
not less than the subtrahend. 


Input: [x] B = ([zi-rJjj,..., [*i] P , [so]p) and [y] B = [yo]p) satis- 

fying x>y. 

Output: [x - y\ B = [d\ B = ([<fj-i]p, [di] p , [do]p)- 

Process: 

([bi-i] P , [bi] p , [&oU «- BORROW S([x\ B , Mb) 

[do] P «— [a:o] p — [j/o]p + 2[i>o]p 

For i = 1,2, ..., I — 1 in parallel: [d*] p <— [ar<] p — [yi] p + 2 [bi] p — [6j_i] p 
[x - v)b = [d\ B <- ([di-i] p , [di] p , [d 0 ] p ) 

Return [x — y\ B 


Note that the output of this protocol, i.e. [x — y\ B , is of bit length l, not l + 1. 
This is because x > y holds and thus we do not need a sign bit. Correctness 
and privacy is straightforward. The complexity of this protocol is 15 rounds and 
47Hogf multiplications. 

6.2 Computing the Borrow Bits 

We now describe the BORROWS protocol which can compute the sharings of the 
borrow bits. In fact our BORROWS protocol is highly similar to the CARRIES 
protocol in jjj. So only the difference is sketched here. As in [Zj, we use an 
operator o : x ^ where )T = {S, P, K}, which is defined by S o x = S 
for all x e 53, K ° x = K for all x e X), P ° x = x for all x e Here, 
o represents the borrow-propagation operator, whereas in jjj it represents the 
carry-propagation operator. When computing [x — y] B (where x > y holds) with 
two bitwise shared inputs 

[x] B = (N-i] P , [xi ]p, [a;o]p) and [y\ B = {[yi-i] p , [yx) p , [j/o]p), 
for bit-position * G {0, 1, . . . , l — 1}, let ej = S iff a borrow is set at position i (i.e. 
Xi < Vi)] e l = P iff a borrow would be propagated at position i (i.e. Xi = iji)\ 
ei = K iff a borrow would be killed at position i (i.e. Xi > yi). It can be easily 
verified that bi = 1 (i.e. the i'th borrow bit is set, which means the i'th bit needs 
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to borrow a “1” from the ( i + 1 )'th bit) iff ei o e»_i o • • • o eo = S. It can be 
seen that in the case where o represents the borrow-propagation operator and in 
the case where o represents the carry-propagation operator, the rules for o (i.e. 
Sox = S,Kox = K and P o x = x for all x £ are completely the same. 
This means that when computing the borrow bits, once all the e/s are obtained, 
the residue procedure of our BORROWS protocol will be (completely) the same 
with that of the CARRIES protocol (in |Zj). So, the only difference lies in the 
procedure of computing the e/s, which will be sketched below. 

As in jZj, we represent S, P and K with bit vectors 

(1,0,0), (0,1,0), (0,0,1) € {0, l} 3 . 

Then, for every bit-position i £ {0, 1, ...,Z — 1}, [e/s = ([s»] P , [Pt] P) [fc/ p ) can be 
obtained as follows: [sj p = [yi] p - [xj] p [yi] p -, [p»] p = 1 - [xi] p - [yi] p + 2 [a ;»] p [2/*] p ; 
[ki] p = [xi] p — [xi] p [yi]p, which in fact need only one multiplication (i.e. [x/ p [i/j] p ). 
Correctness follows readily from the above arguments. Privacy is straightforward. 
The complexity of the protocol is 15 rounds and 47/ log / multiplications. 


6.3 Random-Digit-Bit 

We will now introduce the Random- Digit- Bit protocol for generating a random 
bitwise shared base-m digit, which is denoted by d here. In fact, d is a random 
integer satisfying 0 < d < m — 1. The details are presented in Protocol 5. 


Protocol 5. The Random-Digit-Bit protocol, Random — Digit — Bit(-), for 
generating the bitwise sharing of a random digit. The digit is base-m for any 
to > 2. 


Input: The base m satisfying 2 < m<p — 1. 

Output: [d]^ = ([cZ i ( m ) -1 ] p , ..., [cZ 1 ]^ [d°] p ) with 0 < d < m — 1. 

Process: 

For i = 0, 1, . . . , L (to) — 1 in parallel: [d l ] p *— Random — BitQ. 

[d]™^([d L W-%,...,[d 1 ] P ,[dX) 

If m = 2 L ( m \ then Return [d]^. Otherwise proceed as below. 
[r] p <— Bitwise — LessThan([d\g , to) 
r <— reveal([r] p ) 

If r = 0, then abort. Otherwise Return [cZ]^ . 


See (El for the correctness. As for the privacy, when this protocol does not 
abort, the only information leaked is that d < to, which is an a priori fact. As 
for the complexity, when to is not a power of 2, the total complexity of one rim of 
this protocol is 8 rounds and 16L(m) multiplications. As in [Zj, using a Chernoff 
bound, it can be seen that if this protocol has to be repeated in parallel to get a 
lower abort probability, then the round complexity is still 8, and the amortized 
communication complexity goes up to 4 x 16L(m) = 64L(m) multiplications. 
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6.4 Digit-Bit-Wise-LessThan 

The Digit-Bit-wise-LessThan protocol proposed here is a natural generalization 
to the Bitwise-LessThan protocol. Recall that when we write [C] p , where C is 
a Boolean test, it means that C £ {0, 1} and C = 1 iff C is true. The details of 
the protocol are presented in Protocol 6. 


Protocol 6. The Digit-Bit-wise-LessThan protocol, 

Digit— Bit— wise— LessThan(-), for comparing two digit-bit- wise shared values. 

Input: Two digit-bit-wise shared values [x]% B = Mb , f*o]s) 

and [v]d,b = ([2/iM-ilS* [Vi ]a, Mb)- 

Output: [(a: < y)] p , where (x < y) = 1 iff x < y holds. 

Process: 

Mb - (14%IX HUM P. 

[x L 1 {m) -\,...,[xl] P ,[4] P , 

Mb - t[%K V [VU-.V IvU-iU 

[yf (m) - 1 ] p ,...,M P ,M P , 

[(x < y)]p = [(X < Y)) p e- Bitwise - LessThan([X] B , [T]b) 

Return [(a < y)] p 


Correctness is presented in C3L- Privacy follows readily from only using pri- 
vate sub- protocols. The complexity of the protocol is 6 rounds and (about) 14 1 
multiplications. 


6.5 Random-Solved-Digits-Bits 

The Random-Solved-Digits-Bits protocol is an important primitive which can 
generate a digit-bit-wise shared random value unknown to all parties. It is a 
natural generalization to the Random-Solved-Bits protocol in 0. The details 
are presented in Protocol 7. 

Recall that the bitwise representation of the most significant base-m digit of 

P is M-J-iIb = (Pio^ ) S 1 1 ^--nPyrn)_ v Py m )_ i y Suppose pM-i 0 e {M,-, 
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L(m) — 1}) is the left-most “1” in [p;(m)_ 1 ]’g. Then, in order to get an acceptable 
abort probability, the bit-length of the most significant base-rn digit of r should 
be j + 1 because an acceptable r must be less than p. In this protocol, for 
simplicity, we assume that pf^^ 1 = U Under this assumption, we can generate 
using the Random- Digit- Bit protocol. Ifp^^U 1 = 0, then [r;( TO )_!]^ 
can be generated by using the Random-Bit protocol directly. 


Protocol 7. The Random- Solved- Digits- Bits protocol, 

Random— Solved— Digits— Bits(-), for jointly generating a digit-bit-wise shared 
value which is uniformly random from Z p . 


Input: m, i.e. the expected base of the digits. 

Output: [r] B B , in which r is a uniformly random value satisfying r < p. 
Process: 

For * = 0, 1 , ..., — 1 in parallel: [ri] B <— Random — Digit — Bit(m). 

M d,b (fo(”0-i ] b> — > [ r i ] b> [ r o]s) 

[c] p <— Digit — Bit — wise — LessThan([r] B B , [p]S b ) 
c <— reveal([c] p ) 

If c = 0, then abort. Otherwise Return [r]^ B . 


The correctness and the privacy is straightforward. The amortized 
complexity of this protocol is 8+6=14 rounds and (lS m> ■ 64 L(m) + 14/) *4 = 312/ 
multiplications. 


6.6 Digit-Bit-Wise-Subtraction 

In this section, we will describe in detail the restricted version, Digit-Bit-wise- 
Subtraction * , which requires that the minuend is not less than the subtrahend. 
The general version, which can be realized using the techniques in the Bitwise- 
Subtraction protocol and which is not used in the paper, is omitted for simplicity. 

•The Restricted Digit-Bit-Wise-Subtraction. We will now describe in 
detail the Digit-Bit-wise-Subtraction* protocol. This protocol is novel and is the 
most important primitive in our Base-m Digit-Bit-Decomposition protocol. The 
details are presented in Protocol 8. 


Protocol 8. The restricted Digit-Bit-wise-Subtraction protocol, 

Digit — Bit — wise — Subtraction* (•), for computing the digit-bit- wise sharing 
of the difference between two digit-bit-wise shared values with the minuend not 
less than the subtrahend. 


Input: — ([xj(m)_i] B , ..., [aq]jg, [xo ] b) an d 

\v]d,b = [V\\b - Mb) satisfying x > y. 

Output: [x - y]% tB = [d]S )B = ([dj(«)_i]S, [di]g, \do] B )- 
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Process: 

IX]b - •••> MU) -xlp. 


[x^ m) -X,...,[xh] p ,[4]p) 

Mb - {[yffisX [yU^p, [yjU.J, 


\yo im) ~%,^\vh\pMv) 


;;; (».») 

[b^-\,...,[bl]pMp, 

[6^ (m) - 1 ] p , .... [6J] P , [6°] p ) «- BORROWS([X]b, [F] b ) 

[a = K]p-[j/o°] P + 2K]p _(8.b) 

For 3 = 1, T(m) - 1, in parallel: [t J 0 ) p = [x 3 0 ] p - [ y 3 0 \ p + 2%\ p - [bj x ] p . 

For i = 1, — 1 do 

[*?]p = [*&> - [^]p + 2[6?] P - 

For j = 1, L(m) — 1, in parallel: [fj] p = [acf},, — [yi}p + 2 [b?] p — [b? x ] p . 
End for (8.c) 

C «- 2^™) — m > Note that C is public. (8.d) 

For * = 0,1, — 1 do 

If m < 2 L( ' m) then >Recall that m < 2 L ( m ) means m is not a power of 2. 

[di] B <— Bitwise — Subtraction* , ^[bf ' ^ m ^ _1 ] p ?C l : 0^ (8.e) 

Else 

[di]g <— [tj]g 

End if 

End for (8.f) 

[x — vYjj b = [d]S,s *— •••5 [di]S, [do]S) 

Return [x - 


Correctness is described in detail in m- Privacy follows readily from the 
fact that we only call private sub-protocols. The complexity of this protocol 
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is 30 rounds and 47/ log/ + 47/ log (L{rn)) multiplications. The communication 
complexity is upper bounded by 94/ log 1, multiplications since L(rn] < l. 

•A Simplified Version. If we do not need [x— y] B B but (only) need [x — y\ B 
instead, a simplified version of the above protocol, Digit-Bit-wise-Subtraction *~ , 
can be obtained by simply replacing all the statements after statement (8. a) with 
the following. 

[do]™ = [x 0 ]™ - M™ + m[bo {m) ~\ 

For i = 1, ..., /( m ) - 1 in parallel: [e/*]™ = [a:,]™ - [y*]™ + m[bf { ! ™ )_1 ] p - [bfl^ 1 ^ 

[* - v]d = WB i]p . E^o]™) 

Return [x — y][g 


Note that the above process is free. Correctness and privacy is straightfor- 
ward. The complexity of this protocol goes down to 15 rounds and 47/ log/ 
multiplications as the expensive Bitwise- Subtraction* protocol is omitted. 

If this (simplified) protocol is constructed from scratch, then, for relatively 
large m, the borrow bits for every digit-position, i.e. [bf' ^ -1 ] p for i G {0, 1, ..., 
/( m ) — 1}, can be obtained with a lower cost. For every digit-position i G 
{0, 1, ..., /( m ) — 1}, ei G \S, P.K} can be obtained by calling the linear prim- 
itive Bitwise-LessThan. Specifically, we have 

ei = S [Mb < Msi ei = P& [Mb = [y*]g; ei = K& [Mg > Mb- 
So, using the Bitwise-LessThan protocol in both ways, which costs l+y/l more 
multiplications and no more rounds than one single invocation [HU, we can get 
all the ei s. Then as in the BORROWS protocol (or the CARRIES protocol), the 
target borrow bits (for every digit-position) can be obtained by using a generic 
prefix protocol which costs 15 rounds and 47/^ m ^ log lS rn ' 1 multiplications. So the 
Digit-Bit-wise-Subtraction*~ protocol can be realized in 6+15=21 rounds and 
(less than) 16/ + 47/^ log (/( m )) multiplications. Recall that /^ m) = [~log m p|. 
Then for relatively large to, e.g. m « pro where /( m ) = 10, the communication 
complexity may be very low. 

7 Comments 

As in na, although we describe all our protocols in the secret sharing setting, 
our techniques are also applicable to the threshold homomorphic setting. All the 
protocols in our paper can be similarly realized in this setting. However, some 
of the protocols in this setting may be less efficient than their counterpart in 
the secret sharing setting because the Random-Bit protocol, which is a basic 
building block, is more expensive in the threshold homomorphic setting. 

It is easy to see that using our Base-m Digit-Decomposition protocol which 
extracts all the base-m digits of the shared input, we can also solve the mod- 
ulo reduction problem (which requires only the least significant base-m digit). 
However, our Modulo-Reduction protocol is meaningful because it achieves linear 
communication complexity and thus is much more efficient. 
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Obviously, we can say that the bit-decomposition protocol (of 0) is a special 
case of our Base-m Digit-Bit-Decomposition protocol when m is a power of 2. 
In fact, we can also view the bit-decomposition protocol as a special case of our 
enhanced Modulo-Reduction protocol when the modulus m is just p, i.e. we have 
[x]b = Bit — Decomposition([x]p) = Modulo — Reduction^ (\x] p ,p) 
for any x £ Z p . Our enhanced Modulo-Reduction protocol can handle not only 
the special case where to = p but also the general case where to £ {2,3, ...,p— 1}, 
so it can also be viewed as a generalization to bit-decomposition. 

We note that, in [TB|> a novel technique is proposed which can reduce the com- 
munication complexity of the bit-decomposition protocol to almost linear. We ar- 
gue that their technique can also be used in our Base-m Digit-Bit-Decomposition 
protocol (as well as our Base-m Digit-Decomposition protocol) to reduce the 
(communication) complexity to almost linear, because their technique is in fact 
applicable to any PreFix— o (or PostFix— o) protocol (which is a dominant fac- 
tor of the communication complexity) assuming a linear protocol for computing 
the UnboundedF anln — o exists, which is just the case in our protocols. 

8 Applications and Future Work 

In |1 .'SI . we will show some applications of our new protocols, such as efficient 
Integer Division protocol, Divisibility Test protocol, Conversion of Integer Rep- 
resentation between Number Systems, etc. 

Although we are successful in providing an (efficient) solution to the public 
modulo reduction problem, we fail in solving the private modulo reduction prob- 
lem where the modulus is (also) secret shared. The absence of the knowledge of 
the exact value of to makes our techniques useless. We leave it an open problem 
to construct efficient protocols for private modulo reduction without relying on 
bit-decomposition. 

Acknowledgments. We would like to thank the anonymous reviewers for their 
careful work and helpful comments. 
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Abstract. In this work, we take a closer look at anonymity and robust- 
ness in encryption schemes. Roughly speaking, an anonymous encryption 
scheme hides the identity of the secret-key holder, while a robust encryp- 
tion scheme guarantees that every ciphertext can only be decrypted to 
a valid plaintext under the intended recipient’s secret key. 

In case of anonymous encryption, we show that if an anonymous PKE 
or IBE scheme (in presence of CCA attacks) is used in a hybrid encryp- 
tion, all bets regarding the anonymity of the resulting encryption are 
off. We show that this is the case even if the symmetric-key component 
is anonymous. On the positive side, however, we prove that if the key- 
encapsulation method is, additionally weakly robust the resulting hybrid 
encryption remains anonymous. Some of the existing anonymous encryp- 
tion schemes are known to be weakly robust which makes them more 
desirable in practice. 

In case of robust encryption, we design several efficient constructions 
for transforming any PKE/IBE scheme into weakly and strongly robust 
ones. Our constructions only add a minor computational overhead to the 
original schemes, while achieving better ciphertext sizes compared to the 
previous constructions. An important property of our transformations is 
that they are non-keyed and do not require any modifications to the 
public parameters of the original schemes. 

We also introduce a relaxation of the notion of robustness we call 
collision-freeness. We primarily use collision-freeness as an intermediate 
notion by showing a more efficient construction for transforming any 
collision-free encryption scheme into a strongly robust one. We believe 
that this simple notion can be a plausible replacement for robustness in 
some scenarios in practice. The advantage is that most existing schemes 
seem to satisfy collision-freeness without any modifications. 

1 Introduction 

The classical definitions of security for encryption schemes are mainly concerned 
with the secrecy of encrypted data. Particularly, the widely accepted notions of 
indistinguishability and non-malleability under chosen plaintext and ciphertext 
attacks jlDllljU^j , are all directed at capturing various aspects of data-secrecy in 
encryption schemes. However, since encryption schemes are employed in a wide 
range of applications, one often requires them to satisfy additional properties. 
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Two such properties, which have been the subject of formal studies in the cryp- 
tographic literature, are anonymity m and robustness |3J. Anonymity helps 
keep the identity of the key-holders in an encryption scheme private, while ro- 
bustness provides a layer of protection against misuse or error by ensuring that 
a single ciphertext can only be decrypted by the intended user. In this paper we 
study several aspects of anonymity and robustness in public-key and identity- 
based encryption schemes. 

1.1 Anonymity of Hybrid Encryption Schemes 

The concept of anonymity for encryption schemes has been around for sometime 
but was first formalized in the context of symmetric-key encryption 1 1 I I I I I 4j and 
was later extended to the case of public-key encryption (PKE) and identity-based 
encryption (IBE) |5I2| . Several PKE and IBE schemes in the literature such as 
the Cramer-Shoup m, and the Boyen- Waters |0| in the standard model, and 
DHIES H| and Boneh-Franklin j^j in the random oracle model are shown to be 
anonymous. 

However, in most cases, PKE and IBE schemes are used as key encapsulation 
methods (KEM) to encrypt a random key which is then used by a symmetric-key 
data encapsulation method (DEM) to encrypt the message itself. It is well known 
that if the KEM component is IND-CCA secure and the DEM component is (one- 
time) IND-CCA, the resulting hybrid encryption is also IND-CCA secure (e.g. 
see HD3)0 From a practical point of view, it is important to determine whether 
similar statements can be made when considering anonymity. 

A NEGATIVE RESULT. At first glance, it seems that the symmetric-key compo- 
nent is harmless as far as anonymity is concerned since it only encrypts a mes- 
sage using a random secret key, which is unlikely to reveal additional information 
about the public key or the identity (this is in fact the case for CPA attacks). How- 
ever, somewhat surprisingly, we show that this intuition is wrong in presence of 
chosen ciphertext attacks. Particularly, we show a counterexample by building an 
anonymous-CCA (ANON-CCA) secure PKE/IBE scheme and a symmetric-key 
IND-CCA encryption, where it is easy to break the anonymity of the resulting hy- 
brid construction. The negative result extends to the case when the symmetric-key 
component is also anonymous. An important implication is that: 

Designing ANON-CCA PKE or IBE schemes is not sufficient for providing 
anonymity in practice where, more often than not, encryption schemes are used 
in hybrid constructions. 

A positive result. On the positive side, we show that if one further assumes 
that the KEM component is weakly-robust (see Section El for the definition), the 
resulting hybrid encryption is in fact ANON-CCA. This implies that despite our 
negative result, for most ANON-CCA schemes we know of such as the Boneh- 
Franklin IBE, the Cramer-Shoup PKE, and the DHIES PKE all of which are 

1 Note that the KEM/DEM framework is more general than hybrid encryption but 

here we are focus on the KEM/DEM framework in the context of hybrid encryption 

schemes. 


A Closer Look at Anonymity and Robustness in Encryption Schemes 503 


known to be weakly-robust j3j (in the appropriate model), using them as part of 
a hybrid construction preserves their anonymity. The same is however not true 
for the Boyen- Waters anonymous IBE scheme which is shown not to be weakly 
robust. 

This result reemphasizes the close connection between anonymity and robust- 
ness and provides additional motivation to study the robustness property when 
designing anonymous encryption schemes. 

1.2 Robustness 

Informally speaking, weak robustness requires that a ciphertext does not decrypt 
to a valid plaintext under distinct secret keys for two different identities. A 
stronger version of robustness requires this to be the case even for adversarially 
chosen ciphertexts. The concept of robustness was studied in one way or another 
in [E! and m, but was only recently formalized by Abdalla et al. P . 

It is not hard to see that robustness can be trivially achieved by appending 
the encryption key to the ciphertext and checking for it upon decryption. The 
main drawback is that the resulting scheme is no longer anonymous. In fact, as 
discussed in Pj and further motivated by our results on anonymity of hybrid 
encryptions, it is exactly for anonymous schemes that robustness is important. 
In PJ, the authors study the robustness properties for several existing anony- 
mous encryption schemes, and design general constructions for transforming any 
IBE/PKE scheme into robust ones. 

A transformation is keyed if an additional string needs to be added to the set 
of public parameters for the original scheme, and is called non-keyed, otherwise. 
An important advantage of non-keyed constructions over keyed ones is that the 
robustness property can be added to the encryption scheme without having to 
notify a third party such as a PKI in advance. Consequently, users of a system 
can add robustness to the scheme after it is deployed. 

Non-keyed transformations for robustness. In the standard model, we 
design a non-keyed construction for transforming any anonymous IBE/PKE 
scheme into a weakly robust one in presence of CPA attacks. In the random 
oracle model, we design a non-keyed transformation that provides strong ro- 
bustness in presence of CCA attacks. In both cases, the computational overhead 
is very small (it involves one to three invocations of a hash function), and de- 
spite being non-keyed the ciphertext sizes we achieve are better than those of 
the previous work. A curious open question is whether we can achieve the latter 
transformation in the standard model. 

Collision-freeness. We also study the notion of collision-freeness, a natural 
relaxation of robustness. Roughly speaking, an encryption scheme is collision- 
free if a ciphertext does not decrypt to the same message under two different 
decryption keys. Collision-freeness can be a sufficient property in some scenar- 
ios in practice. For example, if the receiver expects to see a specific message as 
part of the protocol but after decrypting using his secret key recovers a different 
one, he can detect an error and stop the communication. Interestingly, we show 
that schemes such as the El Gamal PKE scheme m and the Boyen- Waters 
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IBE scheme |0| are strongly collision-free even though they are known not to be 
weakly robust. Hence, collision- freeness seems to be a less restrictive assump- 
tion on an encryption scheme and one that most encryption schemes seem to 
satisfy without any modifications. More importantly, we design a more efficient 
construction for transforming any collision-free encryption scheme to a strongly 
robust one. 


2 Preliminaries 

One-way functions. Roughly speaking, a function is one-way if it is hard to 
invert on a random input. More formally, we say that a function / over {0, l} fe 
is one-way if 

Advj ^ ( k ) = Pr [ a; (0, l} fc ; y <- f{x) ; x' 4- A(/, y ) : x = x' ] 
is negligible for every PPT inverter A. 

general encryption schemes. Abdalla et al. [3] introduced and used the no- 
tion of general encryption schemes which encompass both PKE and IBE schemes. 
Similar to their work we will use this notion, since all our transformations are 
applicable to both PKE and IBE schemes. 

A general encryption (GE) scheme consists of a tuple GE = (Pg, Kg, Enc, Dec) 
of algorithms. The parameters generation algorithm Pg takes no input and returns 
common parameters pars and a master secret key msk. On input pars, msk, id, 
the key generation algorithm Kg produces an encryption key ek and the decryption 
key dk. On inputs pars, ek, M the encryption algorithm Enc produces a ciphertext 
C encrypting plaintext M. On input pars, ek, dk, C, the deterministic decryption 
algorithm Dec returns either a plaintext M or 1 to indicate that it rejects. GE 
is a PKE scheme if msk = e and Kg ignores its id input. GE is an IBE scheme 
if ek = id, meaning the encryption key generated by Kg on inputs pars, msk, id 
is always id. Finally, we point out that the notion of general encryption contains 
PKE schemes, IBE schemes and more. In other words, there are general encryption 
schemes that are neither PKE nor IBE schemes. 

AI-{CPA,CCA} security. Traditionally, the definitions of privacy |H5ll9ll2j 
and anonymity m for encryption schemes are introduced separately. However, 
when considering robustness, it makes sense to consider both notions simulta- 
neously. Hence we follow the definition of |3j who combine the two into a single 
game. We define the AI-{CPA,CCA} security (AI = ANON + IND) of a general 
encryption scheme GE = (Pg, Kg, Enc, Dec) via a security game between the 
adversary and the challenger. 

- Setup: Challenger runs (pars, msk) <— Pg(l fc ); b -4- {0,1}; S,T,U,V <— 0. 

— Queries: 

• Public key query id. Challenger lets U <— U U {id}-, 
(Ek[id\, Dk[icC\) Kg (pars, msk, id) and returns Ek[id\. 
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• Decryption-key query id. If id £ U or id G S return _L. Else V <— VU {id} 
and return Dk[icC\. 

• Decryption query ( C,id ). If id </ U or ( id,C ) G T return _L. Else let 
M <— Dec(pars,Ek[id\,Dk[id\,C), and return M. 

• Challenge query (id%, id*, Mq , M*). If id$ ^ U or id* </ U or id* } G V, 

or id\ G V return _L. Else let C* Enc (pars, Ek[idb], M£)] S <— S U 

{idy, id*}] T <— T U {(idg, C*), (id*, C*)} and return C*. 

— Adversary’s guess. Adversary returns a bit b'. 

Note that there is only one challenge query. In case of CPA attacks, no decryption 
queries are allowed. Adversary A’s advantage in the AI-{CPA,CCA} game is: 

Adv^~> ( A) = Pr p/ = b] - 1/2 

In some cases however, we consider the security notions for anonymity (ANON- 
{ CPA, CCA}) and indistinguishability (IND-{CPA,CCA}), individually. The 
challenge query in the above security game can be modified in the obvious way 
to capture each of these definitions separately. We point out that similar defini- 
tions can also be adapted for the case of symmetric-key encryption. 
Robustness. Following j3j, we consider two definitions of robustness for a gen- 
eral encryption scheme, namely weak robustness (WROB) and strong robustness 
(SROB). The following game defines both notions. As noted below the only dif- 
ference is in the final message sent by the adversary to the challenger: 

— Setup: Challenger runs (pars, msk) <- Pg(l fc ); b A {0, 1}; U, V «- 0. 

— Queries: 

• Public key query id. Challenger lets U <— U U {id}] 
(Ek[id\, Dk[id\) Kg (pars, msk, id) and returns Ek[id\. 

• Decryption-key query id. If id £ U or id £ S return _L. Else V <— VU {id} 
and return Dk[id\. 

• Decryption query (C,id). If id ^ U return _L. Else let M <— 
Dec (pars,Ek[id\,Dk[id\,C), and return M. 

• Final message (id * Q , id\,M) (for WROB). If ido = id\ or id* Q </ U or id\ </ 
U or id,Q G V, or id * G V return 0. Else let C* A Enc(pars,Ek[ido],M)] 
M' <— Dec(pars, Ek[id\\, Dk[idi\, C*)] if M' ^ T return 1, else retmn 0. 

• Final message (id*§,id\,C) (for SROB). If ido = idi or id g ^ U 
or id* £ U or id G V, or id* G V return 0. Else let M 0 <— 
Dec(pars,Ek[ido],Dk[ido\,C)] Mi <— Dec(pars,Ek[idi],Dk[idi\,C)] if 
Mo 7^ T and Mi 7^ T return 1, else return 0. 

Similar to above, in case of CPA attacks, no decryption queries are allowed. 
Adversary A’s advantage in the {WROB, SROB}-{CPA, CCA} game is: 

Adv^ rob ’ srob} ' {cpa,cca} (A) = Pr[G A -► 1] 

In the WROB game the adversary produces a message M, and C is its encryp- 
tion under the encryption key of one of the given identities, while in the SROB 


506 P. Mohassel 


game adversary produces C directly, and may not obtain it as an honest encryp- 
tion. Note that in case of PKE schemes, the adversary does not get to choose 
the encryption keys of the identities it is targeting. Those are honestly and inde- 
pendently chosen by the identities themselves in real life and and by the games 
in the above formalizations. 

3 Anonymous-CCA Hybrid Encryption 

In this section we take a closer look at anonymous encryption schemes in presence 
of chosen ciphertext attacks (ANON-CCA) as defined in Section El Previous 
works on anonymous public-key and identity-based encryption m have studied 
this security notion and provided constructions satisfying it. 

However, in most scenarios in practice, PKE and IBE schemes are used in 
the KEM/DEM paradigm. It is known that if the KEM component is IND-CCA 
secure and the DEM component is (one-time) IND-CCA, the resulting hybrid en- 
cryption is also IND-CCA secure. For practical reasons, it is crucial to determine 
whether we can make similar statements when considering the anonymity of the 
resulting hybrid construction. More specifically, we try to answer the following 
question: 

Given an ANON-CCA PKE or IBE scheme and an (ANON-CCA + IND- 
CCA) symmetric-key encryption scheme, is the resulting hybrid encryption 
scheme ANON-CCA? 

3.1 A Negative Result 

Somewhat surprisingly, we answer the above question in the negative. First we 
show a counterexample by building an ANON-CCA secure PKE/IBE scheme and 
a symmetric-key IND-CCA encryption, where it is easy to break the anonymity 
of the resulting hybrid construction. The negative result easily extends to the 
case when the symmetric-key component is also ANON-CCA. An important im- 
plication is that designing ANON-CCA PKE or IBE schemes is not sufficient for 
providing anonymity in practice where, more often than not, encryption schemes 
are used in hybrid constructions. 

Claim 3.1. There exist an ANON-CCA PKE/IBE scheme and a symmetric- 
key authenticated encryption scheme ( assuming there are secure schemes at all) 
such that the resulting hybrid encryption is not ANON-CCA. 

The intuition behind the counterexample is that since the adversary has access 
to a decryption oracle, he can take advantage of the fact that decrypting one 
ciphertext under two different secret keys can result in different answers. Partic- 
ularly, these different answers can be used by the adversary to compromise the 
anonymity of the scheme. 

Proof. We describe the proof for the case of a PKE scheme, but an identical proof 
works for IBE schemes as well. Let PKEi = (Kg, , Enc-i , Deci ) be an (ANON- 
CCA + WROB-CCA) PKE encryption scheme. The Cramer-Shoup encryption 
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scheme or any of the constructions in this paper will do. We build the encryption 
scheme PKE 2 = (Kg 2 , Enc 2 , Dec 2 ) by letting the key-generation and encryption 
algorithms be identical to those of PKEi, and modifying the decryption algorithm 
such that whenever the Deci algorithm returns the symbol _L, the decryption 
algorithm Dec 2 returns 0" instead, and otherwise works similar to Deci. It is 
easy to verify that after this simple modification, PKE 2 remains ANON-CCA. 
PKE 2 will be the key encapsulation method in our counterexample. 

For the DEM component we use an IND-CCA encryption scheme that is also 
key-binding , a notion introduced in El- 

Definition 1. A symmetric-key encryption scheme £ = (5/C, S£, SV) is called 
key-binding if for any key k generated by SIC, any message m, and randomness 
r, there does not exist a key k! such that k! ^ k and ST>k'(S£k{m,r)) ^ _L. 

The key-binding property guarantees that a ciphertext created using one secret 
key, does not decrypt correctly under any other secret key. Fischlin m showed 
simple constructions of such encryption schemes from any PRF. For the purpose 
of our counterexample it suffices to know that an IND-CCA encryption scheme 
£ with such a property exists. 

Now, we show that combining PKE 2 and £ into a hybrid encryption is not 
ANON-CCA. Particularly, an attacker with the following simple strategy can 
break the anonymity of the scheme. 

Recall the ANON-CCA security game. Attacker A initially sends a message 
m as his challenge in the ANON-CCA game and receives the ciphertext C = 
(ci, c 2 ) = (Enc (pkid b ,k),S£k(m)) for a random bit b £ {0, 1} and a random key 
k £ {0, 1}". Then, A makes a decryption query for the ciphertext (ci,S£on(m')) 
under public key pkid 0 , for an arbitrary message m' . If the answer is _L, A outputs 
0 and else outputs 1. 

To see why A breaks the ANON-CCA security of the encryption scheme 
note that if b = 1 then k' = Dec 2 (sfcj < j 1 , Enc 2 (pfcj<j 0 , k)) = 0" given the way 
we have defined PKE 2 . Hence, we have that S'Do«(S£on(m')) = m' ^ _L. On 
the other hand if b = 0 then k' = Dec 2 (s/c,; f i 0 , Enc 2 (pfcj C ; 0 , k)) = k. Hence we 
have SVk(S£on(m')) = _L due to the key-binding property of £ and the fact 
that k ^ 0" with all but negligible probability. Therefore, A guesses the bit b 
correctly with high probability. 

A closer look at the above attack strategy reveals that a much weaker property 
than that of definition [2 for the symmetric-key scheme suffices for our argument 
to go through. In particular, we only need the key binding property to hold for 
a fixed message and a fixed secret key ( to ' and 0", respectively). 

Strengthening the DEM component? One potential solution is to use a 
symmetric- key encryption scheme that possesses some additional properties. Par- 
ticularly, one natural question is whether using an anonymous-CC A symmetric-key 
encryption as the DEM component would yield an anonymous hybrid construc- 
tion. Unfortunately, the answer to this question is also negative. It is easy to verify 
that the above negative result extends to work for any security notion considered 
for symmetric-key encryption, as long as that security notion can be achieved in 
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conjunction with the key-binding property. In all such cases, the proof given above 
works without any significant changes. 

Anonymity of symmetric-key encryption schemes has been studied under 
the name key-hiding in m where the authors also design IND-CCA secure 
symmetric-key encryption schemes that are simultaneously key-hiding and key- 
binding. This leads to the following claim: 

Claim 3.2. There exist an ANON-CCA PKE/IBE scheme and an (ANON- 
CCA + IND-CCA) symmetric-key encryption scheme such that the resulting 
hybrid encryption is not ANON-CCA. 


3.2 A Positive Result 

In light of the above negative results, it is natural to ask what additional property 
the KEM component should have in order to preserve its ANON-CCA security 
in a hybrid construction. We show that if one further assumes that the KEM 
component is weakly-robust, the resulting hybrid encryption is in fact ANON- 
CCA. This implies that despite the negative results we gave above, for most 
ANON-CCA schemes we know such as the Boneh-Franklin IBE, the Cramer- 
Shoup PKE, and the DHIES PKE all of which are known to be weakly-robust j3| , 
using them as part of a hybrid construction is safe. The intuition behind the 
proof is that weak robustness ensures that the decryption algorithm behaves in 
a predictable way, when decrypting a ciphertext under two different secret keys, 
and this predictable behavior combines quite nicely with the security properties 
of an authenticated symmetric encryption scheme, namely, IND-CCA security 
and the ciphertext integrity (CTXT-INT). 

In the following claim we prove a stronger result than what we need here by 
considering the notion of AI-CCA security which combines ANON-CCA security 
and IND-CCA security into one definition. The main reason is that we need this 
stronger claim in a following section. The proof for the case when one is only 
interested in ANON-CCA secure hybrid schemes is identical. 

Claim 3.3. If the KEM component PKE of a hybrid construction is an (AI- 
CCA + WROB-CCA) general encryption, and £ is a one-time authenticated 
symmetric encryption, then the resulting hybrid encryption PKE 7 is also an AI- 
CCA general encryption scheme. 

Proof. We prove the above claim via a sequence of games. 

Game 0. Game 0 is simply the AI-CCA game. Denote by b the random bit 
generated by the challenger, by C* the challenge ciphertext C* = (c*, cJj) where 
cl is the KEM component and c‘ 2 is the DEM component, and by k* the secret 
key used for the DEM component. 

Game 1 . Game 1 is similar to game 0, except that for any decryption queries 
of the form (01,02) for pk,^ where c\ = c\ and C2 i=- c%, challenger uses k* to 
decrypt C2 and recover the message ( as opposed to decrypting ci). 
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It is easy to see that the difference between the advantage of any adversary in 
these two games is bounded by the decryption error. For simplicity we assume 
that there is no decryption error and therefore 

Adv Go (A) = Adv Gl (A) 

Game 2. Similar to game 1 except that for any decryption queries of the 
form (ci , C 2 ) for pki ( t l b where Ci = c* and C 2 ^ C 2 ), challenger returns _L. 

Note that games 1 and 2 are different only when c\ which is the encryption of 
message mt, under pku b , also decrypts correctly under the pkid 1 _ b . This probabil- 
ity is bounded by the advantage of an adversary B in winning the WROB-CCA 
game and hence: 


Adv G2 (A) — Adv Gl (A) < Adv^ 1 * cca (B) 

Game 3. Similar to game 2 except that the challenger generates and uses 
a random key k! (instead of k*) when encrypting the private- key component of 
the ciphertext for the challenge query. 

The difference between the advantages of an adversary in games 2 and 3 is 
bounded by the AI-CCA security of the PKE scheme: 

Adv G3 (A) - Adv G2 (A) < AdvpK E cca (B') 

Game 4. We modify game 3 in two ways. First, for the challenge query, 
instead of encrypting the message mb, the challenger encrypts the constant mes- 
sage 0 fe . Second, for decryption queries ( 01 , 02 ) under pkid b where c\ = Ci* the 
challenger returns _L. 

The probability of distinguishing the first change is bounded by the IND-CCA 
advantage of an adversary against the £ scheme, while for second change, the 
probability is bounded by the advantage of an adversary playing the ciphertext 
integrity (CTXT-INT) game with £ . Both the IND-CCA security and the CTXT- 
INT security are properties that are possessed by any authenticated encryption 
scheme. 


Adv G4 (A) — Adv Ga (A) < Adv^ nd cca (B") + Adv£ txt mt (B w ) 

Finally, it is easy to see that the adversary’s view in game 4 is independent of 
the bit b and hence adversary’s advantage in guessing b is exactly 1/2. Putting 
things together we have: 

Adv PKE“ a ( A ) < AdvpKE b “ cca (B)+Advp i KE cca (B')+Adv^ nd " cca (B")+Adv£ Xt “ int (B"') 

4 Non-keyed Transformations for Robustness 

Having further motivated the study of robust encryption schemes, we next focus 
on efficient ways of transforming general encryption schemes into robust ones. 
As mentioned earlier, such a transformation is called a keyed transformation if 
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an additional string is added to the original set of public parameters, and is 
called non-keyed otherwise. 

In Section 14.11 we design an efficient and non-keyed transformation for weak- 
robustness, in presence of CPA attacks (in the standard model). In Sectional 
we design a non-keyed transformation for strong-robustness in presence of CCA 
attacks (in the random oracle model). Despite being non-keyed, our transforma- 
tions have better ciphertext sizes compared to previous work. In other words, 
not adding an extra string to the public parameters does translate to larger 
ciphertexts (see the efficiency comparison sections). 

4.1 A Transformation for AI-CPA Schemes 

The following non-keyed construction takes any AI-CPA encryption scheme, and 
transforms it to a (AI-CPA + WROB-CPA) scheme. 

Construction 4.1. Let PKE = (Pg, Kg, Enc, Dec) be a AI-CPA general encryp- 
tion scheme, and let / be a one-way function over {0, l} fc . We construct the 
general encryption scheme PKE' = (Pg / , Kg', Enc 7 , Dec 7 ): 

• Parameter Generation(Pg / ): On input l k return (pars, msk) Pg(l fc ). 

• Key Generation (Kg'): On input pars, msk, id, return 

(pkid, skid ) Kg (pars, msk, id). 

• Encryption(Enc / ): On input pars, pkid, m, generate a random r £ {0,l} fc 
and return (Enc(pars,pkid,m\\r), f(r)). 

• Decryption(Dec / ): On inputs pa/rs,pk ir i, skid, ( c i, c 2 ), compute 
m'\\r' ^-Dec(pars, pkid, skid, ci). If r' ^ _L and f(r') = C 2 return m'; 
else return _L. 

Note that in construction 14. II instead of a one-way function, we can also use a 
target collision-resistant (TCR) hash function (a universal one-way hash func- 
tion). Particularly, it is easy to show that any TCR function that is sufficiently 
compressing is a good one-way function. 

We will shortly prove the security of the above scheme, but first lets briefly 
study its efficiency. 

Efficiency comparison. To implement our scheme one can use a fixed-length 
cryptographic hash function h with output length of 128 bits (e.g. constructed by 
suitably modifying the output length of a hash function from the SHA family). 
The reason that we only need 128 bits of output is that we only require the 
hash function to be one-way as opposed to collision-resistant. Furthermore, it is 
sufficient for us to let k = 256 where r is chosen from {0, l} fc 0 This means that 
the PKE scheme has to encrypt a message that is only 256 bits longer than the 
original message and the ciphertext is at most expanded by an additive factor 
of 384 bits as opposed to 768 bits in construction of Abdalla et al. 0 ■ 

2 When computing hash of r, we can pad r with enough 0’s in order to match the 
input block-size requirement for the hash function. Note that this does not effect the 
efficiency of the encryption or the size of ciphertext in any way. 


A Closer Look at Anonymity and Robustness in Encryption Schemes 511 


Theorem 1. Let PKE be a AI-CPA secure general encryption scheme and f be 
a one-way function. Then, the PKE 7 scheme of construction |7~71 is both AI-CPA 
secure and WROB-CPA secure. 

Proof. We prove the theorem in two separate claims. Claim 14.21 ensures that 
the above transformation preserves the AI-CPA security of the original scheme. 
Claim FP1 states that the resulting scheme PKE 7 is also weakly robust. 

Claim 4.2. For any PPT adversary A against PKE 7 , there exist a PPT adver- 
sary B against PKE such that: 

Adv PKE' a (^) = Adv-- a (B) 

Proof. B runs A. When A sends its challenge request (ido, idi, Mo, Mi), B gener- 
ates a random value r £ {0 , 1 } k and sends (ido, idi , Mq \ \ r, Mi \ \ r) to its own chal- 
lenger in the AI-CPA game for PKE. B receives back c* = Enc (pars,idb,pki dh , 
Mb\\r ) and sends ( c*,f(r )) to A. The decryption-key queries made by A are for- 
warded to the corresponding oracle in B’s game. Since we only consider CPA 
attacks, no decryption queries on ido or id\ are allowed. Eventually, A outputs a 
bit b' . B also outputs b' and halts. It is straightforward to see that the advantage 
of B against the PKE is the same as A’s advantage against the PKE 7 scheme. 

Claim 4.3. For any PPT adversary A against the PKE 7 in the WROB-CPA 
game, there exist PPT adversaries Bi against the PKE in the AI-CPA game and 
B 2 against f in the one-wayness game such that: 

Adv™^ cpa (A) = 2Adv 1 p n K d - cpa (B 1 ) + Adv? wf (B 2 ) 

Proof. We prove this claim in a sequence of two games. 

Game 0. Game 0 is the WROB-CPA game against the PKE 7 scheme as de- 
fined earlier. More specifically, adversary sends the tuple (ido > id% , M) to the chal- 
lenger. Challenger computes Co = Enc (pars, ido, pki do ,M) = (Enc (pars,pki do , 
M\\r),f(r)) for random r G {0, \} k . He then computes Mi = Dec 7 (pars, pk idl , 
skid i: Co). If Mi 7 ^ _L, the challenger outputs 1. Else it outputs 0. 

Game 1. Game 1 is similar to game 0, except that Co is computed in the 
following way: 

C 0 = (Enc(pars,pk ido , M\\0 k ), f(r)) 

The rest of the game stays the same. 

First we show that there exist an adversary Bi such that AdvJ^ cpa (Bi) = 
l/2(Pr[Cf — > 1] — Pr[Co — > 1]). Bi runs A and receives the tuple (ido,id\,M) 
from her. Bi queries the key oracle for (pk] dl , ski,], )■ He then generates a random 
r G {0, l} fc and sends (ido, m o = M| |r, rri\ = M\\0 k ) to the challenger in the IND- 
CPA game against PKE and receives Co = Er\c(pars, ido , pk,d 0 , rn' h ) for a random 
bit b. Bi then decrypts (Co, /(r)) using the Dec 7 algorithm and the secret key 
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skith . If the result of decryption is not _L, Bi lets // = 1 and else b' = 0. Then 
we have 

Adv“^(B 1 ) = Pr [V = b}- 1/2 = 

Pr[6 = 1] • Pr[B i 1 nd ’ cpa -+ 1 | b = 1] + Pr[6 = 0] • Pr[Bi nd ' cpa 0|6 = 0] = 

1 /2 Pr[B 1 1 nd ’ cpa -► 1 | b = 1] + 1/2 Pr[B 1 1 nd " cpa -> 0|6 = 0] - 1/2 = (1) 

1/2 Pr[G A -»1] + 1/2(1 - Pr[G A 1]) - 1/2 = 
l/2(Pr[G A - - Pr[Go - 1]) 

We now show that there exist an adversary B 2 such that Pr[G A — > 1] = 
Advj wf (B 2 ). B 2 generates the ( pars,msk ) for the general encryption, and runs 
A. When B 2 receives the tuple (ido,idi, M) he computes (pkui 0 . skid 0 ) , ( phi j lt 
skid!) and Go = Enc(p«r.s, pfc, f j 0 , Mq| | 0 fc ). He then requests his challenge for the 
one-wayness game and receives f(r) for a random r. B 2 then decrypts using 
(Co,/(r)) using the Dec 7 algorithm and the secret key sk u i 1 . If the result is T 
it outputs fail and halts. Else, it parses the decrypted plaintext into M'\\r' and 
returns r' to his own challenger. 

B 2 wins the one-wayness game if f(r') = f(r). Note that according to the 
definition of Dec', whenever the decryption algorithm does not output T we 
have f(r') = f(r). Hence 

Advj wf (B 2 ) = 1 - Pr[B -► fail] = 1 - Pr[G x A -> 0] = Pr[Gi A -> 1] 
Putting things together we have: 

Adv™T cpa (A) = Pr[G A - 1] = 

Pr[G A -> 1] - Pr[G A -> 1] + Pr[G? -► 1] = 

2Adv I p nd ' cpa (B 1 ) + Advj wf (B 2 ) 


4.2 A Transformation for AI-CCA Schemes 

Unfortunately, the transformation we gave above does not work in case of AI- 
CCA encryption schemes. Nevertheless, we are able to design an efficient and 
non-keyed transformation for any AI-CCA encryption scheme, in the random 
oracle model. The construction follows: 

Construction 4.4. Let PKE = (Pg, Kg, Enc, Dec) be an AI-CCA general en- 
cryption scheme, and let G,H,H' : {0,1}* -* {0, \ } k be three hash functions. 
We construct the general encryption scheme PKE' = (Pg', Kg', Enc', Dec'): 

• Parameter Generation(Pg / ): On input l k return (pars, msk) Pg(l fc ). 

• Key Generation (Kg 7 ): On input pars, msk, id, return 

(pkid, skid) Kg (pars, msk, id). 
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• Encryption(Enc / ): 

On input pars,pkid,m, generate a random r € {0,l} fe and return 
(Enc(pars,pkid, r; H(r)), G{r) ® m, H'(pk,r,m)). 

• Decryption(Dec / ): On inputs pars, pkid, skid, (ci, 02 , 03 ), compute 

r 1 Dec(pars,pkid,skid,ci). If r' = _L or Enc(pars,pk ic i, r'\ H(r')) c\, 

return _L, else compute m <— C 2 ® G(r): if H'{pk. r, rn) = C 3 return to, else 
return _L. 

The above construction is an adaptation of an earlier version of the OAEP 
scheme (see |Sj) based on any one-way trapdoor function (TDF). The two main 
differences are that (i) we are transforming a randomized encryption scheme 
instead of a one-way TDF which is why we use H (r) to generate the randomness 
for the encryption algorithm, and (ii) since our goal is to also achieve robustness, 
the third component of the ciphertext hashes the public key along with the 
message and randomness. 

It is also interesting to note that unlike the optimized OAEP scheme |Z] which 
encrypts C 2 1 1 C 3 as part of the message (in order to obtain shorter ciphertexts), 
due to the impossibility result of |3J who rule out non-keyed redundancy codes, 
there is no hope of doing the same in our case. 

efficiency comparison. The overhead for the ciphertext size is two hash val- 
ues each of which leads to 512 bits of overhead. The alternative existing solution 
would be to combine a weakly robust encryption scheme with the weak-to-strong 
transformation of j2] . This leads to 768 + x bits where the x is the ciphertext 
overhead of the weak-to-strong transformation which can be quite large itself 
(depending on the commitment scheme used). 

Theorem 2. Let PKE be an AI-CCA secure general encryption scheme and 
H,G, and H' be random oracles. Then, the PKE' scheme of construction [J~J\ is 
both AI-CCA secure and SROB-CCA secure. 

We prove the above theorem via two separate claims. Claim 14.51 ensures that 
the above transformation preserves the AI-CCA security of the original scheme. 
Claim ECT states that the resulting scheme PKE 7 is also weakly robust. 

Claim 4.5. For any PPT adversary A against PKE 7 , there exist a PPT adver- 
sary B against PKE such that: 

Advj^ a (A) < qn/2 k + g// Advp K ' E ca (B) 

Proof. We prove this claim in a sequence of games. 

Game 0. In this game the adversary plays the AI-CCA game with the chal- 
lenger using the construction above. The challenger initializes three empty lists 
Hust,Giist, and For any oracle query q made to H (G, or H'), if a tu- 

ple of the form (q, a) for any a is present in Hu st ( Gu st or H' list ) returns a 
as the answer. Else, challenger generates a random a £ {0, \} k , adds (q, a) 
to the Hu st ( Gust or H' list ) and returns a to the adversary. Denote the ad- 
versary’s challenge query by (toq, toi, ido, id\), and the response ciphertext by 


514 P. Mohassel 


c* = (e*,c2,c|) = (Enc (pars,pkid b ,r; H(r)),G(r) ^ mb,H'(pkid b ,r,mb)) for a 
random bit b £ {0, 1} and r £ {0, l} fc . Decryption queries are answered by the 
challenger using the decryption algorithm described above. Adversary eventually 
outputs the bit b ’ and wins if b' = b. For any PPT adversary A we have 

Advp^ a (A) = Adv Go (A) - 1/2 

Game 1. Similar to game 0, except that on decryption queries of the form 
c = (01,02,03) where ci = of, if there exist a tuple of the form (9,03) £ Hj ist , 
challenger parses ( pk , r, to) <— q, and recomputes the first two components of the 
ciphertext using these values. If they match ci and 02 sent by the adversary, it 
returns to. If the values do not match or the tuple of the form (q, 03) does not 
exist, challenger returns A. 

A’s view in the two games is different only in the case that he has not queried 
q to the list but is able to guess C3 = H'(q). This only happens with probability 
l/2 fe for every decryption query. Hence 

Adv Go (A) - Adv Gl (A) < q D / 2 k 

Game 2. This game is identical to game 1 except that if A makes an oracle 
query for H or G on input r where r is the random message encrypted in the 
challenge ciphertext, the challenger outputs fail and ends the game. 

Based on the fundamental lemma game playing we have 

Adv Gl (A) — Adv G2 (A) < Pr[G^ — > fail] 

Next we will bound the probability of outputting fail, by the advantage of 
an adversary B who the one-way-CCA game against the PKE scheme. We show 
that for any adversary A winning the game G2, there exist a PPT adversary B 
winning the one-way-CCA game against the original scheme PKE. 

B generates a random index i £ [l..qn] ■ B then runs A. When A makes his 
challenge query (mo,mi,ido,idi), B generates a random bit b, and asks for his 
challenge ciphertext under idb to receive c\ = Enc (pkid b ,r) for a random message 
r. B computes and c?j on his own and replies to A with (c*, Cj, C3). 

On an oracle query a (for any of the three oracles), if this is the <th oracle 
query, B outputs a to his own challenger and halts. Else, if a was queried before, 
he returns the same answer, and if not, he generates a random answer and adds 
the tuple to the corresponding list. 

On a decryption query (01,02,03) where Ci ^ c*, B uses his own decryption 
oracle for Dec and performs the Dec 7 decryption algorithm. Here, it is critical 
for the randomness used in the encryption algorithm to be derivable from the 
decrypted message, and this is why H(-) is used as the randomness (or else B 
would not be able to perform the verification component of Dec / ). For any de- 
cryption query (ci, 02, 03) where ci = c*, B performs exactly what the challenger 
in game 1 does. It is easy to see that 

Pr[C?2 -*■ fail] < 5 ff AdvpKE Cca (B) < qh Adv p/p ca ( B) . 
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For any adversary A who makes an oracle query for the challenge random 
message, there is an adversary B' who does not make such a query and has a 
better advantage (since such a query does not help the adversary win) 

Adv G2 (A) < Adv G2 (B') 

Finally, given that B 7 does not query r to the oracle, the challenge ciphertext 
is completely independent of the challenge bit b and hence 

Adv G2 (B 7 ) = 1/2 

Putting everything together we have: 

Adv^ a (A) < q D /2 k + g // Advp K ' E ' :a (B) 

Claim 4.6. For any adversary A against PKE 7 we have Adv^^'^/A) < l/2 fc . 

Proof. The proof of the above claim is simple. The main observation is that a 
ciphertext ci, C 2 , C 3 is valid under two different public keys only if H'{pk,-,-) = 
H'(pk' where pk fy pk! . But this only happens with probability l/2 fc due to 
the fact that H' is a random oracle. 


5 Collision-Free Encryption and Robustness 

In this section we introduce the notion of collision-freeness, a natural relaxation 
of the notion of robustness for general encryption schemes. Intuitively, collision- 
freeness requires that a ciphertext decrypts to two different plaintexts when 
decrypted using distinct secret keys. Our main motivation is to use collision- 
freeness as a stepping stone for designing robust encryption schemes. Partic- 
ularly, we design a more efficient construction for transforming collision-free 
encryption schemes to strongly robust ones. However, we also believe that 
collision-freeness is a sufficient property in some scenarios in practice. 

Similar to the notion of robustness, we consider weak and strong collision- 
freeness (WCFR and SCFR). Interestingly, we show that schemes such as the 
El Gamal PKE scheme |J3] and the Boyen- Waters IBE scheme |0| are strongly 
collision- free even though they are known not to be even weakly robust. Hence, 
collision-freeness seems to be a less restrictive assumption on an encryption 
scheme and one that most encryption schemes seem to satisfy without any mod- 
ifications. The following security game defines the two variants: 

— Setup: Challenger runs ( pars,msk ) <— Pg(l fc ); b ^-{0,1}; U, V <— 0. 

— Queries: 

• Public key query id. Challenger lets U <— U U {id}-, 

(Ek[id\, Dk[i<f\) Kg (pars,msk,id) and returns Ek[id\. 

• Decryption-key query id. If id £ U or id £ S return _L. Else V <— VU {id} 
and return Dk[icC\. 
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• Decryption query ( C,id ). If id £ U return _L. Else let M <— 
Dec (pars, Ek[icC\, Dk[icC\,C), and return M. 

• Final message {ido,id\,M) (for WCFR). If ido = id\ or idg ^ U or id\ £ 
U or idjQ G V, or id\ G V return 0. Else let C* ^ Encipars, Ek[ido] , M); 
M' <— Dec (pars, Ffc[idi], DAfydj], C*): if M 7 = M return 1, else return 0. 

• Final message (idl,id\,C) (for SCFR). If ido = idi or id* Q £ U 
or id\ £ U or id$ G V, or id\ G V return 0. Else let M 0 <— 
Dec(pars,Ek[ido],Dk[ido\,C); Mi <— Dec(pars,Ek[idi],Dk[idi],C); if 
M 0 = Mi return 1, else return 0. 

In case of CPA attacks, no decryption queries are allowed. Adversary A’s advan- 
tage in the (WCFR, SCFR}-{CPA, CCA} game is: 

Ad v {-’ 8 *H«»}(A) = Pr[G A jj 

Collision-freeness of an encryption scheme can be a sufficient requirement in 
some scenarios in practice. For example, if the receiver expects to see a spe- 
cific message as part of the protocol but after decrypting using his secret key 
recovers a different one, he can detect an error and stop the communication. 
This makes collision-freeness a particularly attractive definition, since most of 
the existing anonymous encryption schemes, already satisfy this property with- 
out any additional modifications. The following claim mentions two well-known 
encryption schemes both of which are known not to be weakly-robust but which 
are collision-free. 

Claim 5.1. The El Gamal PKE scheme and the Boyen-Waters anonymous IBE 
scheme are SCFR-CPA scheme. 

The proof of the above claim quite simple but is omitted due to lack of space. 
Next we give a construction for transforming any strongly collision-free AI-CPA 
scheme into a strongly robust one. First we use the collision- free encryption 
scheme PKE to encrypt a random message r. Then, we hash the random message 
using a compressing collision resistant hash function h. We then use a strong 
extractor (e.g. a universal hash function) to extract the remaining randomness 
in r and use it as the key to a one-time symmetric-key encryption scheme. 

The intuition is that (1) the collision-freeness of the PKE and the collision- 
resistance of the hash function h combined imply the strong robustness of the 
resulting scheme. More specifically, it is not hard to show that given any adver- 
sary that breaks the strong robustness of PKE 7 , there exist an adversary that 
finds a collision for h: The collision-finding adversary decrypts the same cipher- 
text using the secret keys for two different public keys (identities) and outputs 
the two plaintexts as his collision for the hash function. The collision-freeness 
of the PKE ensures that the two plaintexts are different with high probability. 
(2) Given that r is chosen uniformly at random, PKE is IND-CPA secure, and 
h(r) only leaks a fraction of bits of r, we can use the leftover hash lemma [Tf3 
to extract most of the remaining randomness and use it as the secret key to the 
symmetric-key encryption scheme. 
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Construction 5 . 2 . Let PKE = (Pg, Kg, Enc, Dec) be a (SCFR-CPA + AI-CPA) 
general encryption scheme; h : {0, l}^ 1 — *■ {0, 1 } (2 be a collision-resistant hash 
function; Ext : {0, l} fe X {0, l}^ 1 — > {0, l}^ 3 be a family of pairwise independent 
hash functions, where £ 3 m ii — and £ = (5/C, S£, SV) be a one-time IND- 
CPA symmetric-key encryption scheme. We construct the general encryption 
scheme PKE' = (Pg', Kg', Enc', Dec'): 

• Parameter Generation: On input l k return ( pars,msk ) Pg(l k ). 

• Key Generation: On input pars , msk, id, return 

(pkid, skid) Kg (pars, msk, id). 

• Encryption: On input pars, pkid, m, generate a random r G {0, l} f>1 and 
K € {0,l} fc and return (Enc (pars, pk^, r),h(r), K,S£(Ext(K,r),m)). 

• Decryption: On inputs pars, pkid, skid, (01,02,03), compute 

r ' *2. Deo(pars, pkid, skid, c\). If h(r') = c 2 return m' <— SV(Ext(K,r'),C3), 
else return J_. 

The following theorem siunmarizes the result. Due to lack of space, we defer the 
proof to the full version of the paper. 

Theorem 3 . Let PKE be a (AI-CPA + SCFR-CPA) secure general encryption 
scheme, h be a CRHF, Ext be a pairwise independent hash function and £ be a 
one-time IND-CPA symmetric-key encryption scheme. Then, the PKE' scheme 
of construction \ 5 .A is both AI-CPA secure and SROB-CPA secure. 

Efficiency and Comparison. The computational overhead for the transfor- 
mation is negligible as it includes one invocation of a collision-resistant hash 
function and a pairwise-independent hash function. As an alternative to the 
above construction, one could also combine the construction 14.11 which leads 
to a weakly robust encryption, with the weak-to-strong-robustness transforma- 
tions of |2] to achieve the same goal. However, the resulting transformations are 
less efficient than the above transformation since we also took advantage of the 
collision-freeness of the encryption scheme. Furthermore, since all the encryption 
schemes we know of seem to possess the collision-freeness property, the improved 
efficiency comes for “free”. 
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Abstract. Beginning with the work of Groth and Sahai, there has been 
much interest in transforming pairing-based schemes in composite-order 
groups to equivalent ones in prime-order groups. A method for achieving 
such transformations has recently been proposed by Freeman, who iden- 
tified two properties of pairings using composite-order groups — “can- 
celling” and “projecting” — on which many schemes rely, and showed 
how either of these properties can be obtained using prime-order groups. 

In this paper, we give evidence for the existence of limits to such trans- 
formations. Specifically, we show that a pairing generated in a natural 
way from the Decision Linear assumption in prime-order groups can be 
simultaneously cancelling and projecting only with negligible probability. 

As evidence that these properties can be helpful together as well as 
individually, we present a cryptosystem whose proof of security makes 
use of a pairing that is both cancelling and projecting. Our example 
cryptosystem is a simple round-optimal blind signature scheme that is 
secure in the common reference string model, without random oracles, 
and based on mild assumptions; it is of independent interest. 


1 Introduction 

Composite-order groups were introduced for pairing-based cryptography in 2005 
by Boneh, Goh, and Nissim m and have since been used to realize a large number 
of cryptographic systems (see, e.g., the schemes surveyed by Freeman | 22 ])- At 
the same time, the limited number of elliptic curve families on which composite- 
order groups can be instantiated and the larger parameter sizes associated with 
composite-order groups (cf. |23H3j 'l has motivated research on translating these 
schemes to or obtaining similar ones in the prime-order setting. 

In one of the first papers to unify the composite- and prime-order settings, 
Groth and Sahai m developed non-interactive zero-knowledge schemes that 
not only can be instantiated either in composite- or prime-order groups, but are 

M. Abe (Ed.): ASIACRYPT 2010, LNCS 6477, pp. 519- |-538| 2010. 
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in fact described identically in either instantiation. What facilitates this flexi- 
bility is a new abstraction for pairing-based cryptography in terms of modules 
over finite commutative rings with an associated bilinear map; this abstraction 
allows for the simultaneous treatment of three different cryptographic assump- 
tions: the Subgroup Hiding (SGH) assumption of Boneh, Goh, and Nissim [T2| 
in composite-order groups; the Decision Linear (DLIN) assumption of Boneh, 
Boyen, and Shacham m, and its fc-Linear family of generalizations | / l- l 2 ")i.'l.'fi| Jj 
in prime-order groups; and the so-called Symmetric External Diffie-Hellman as- 
sumption jZj, also in prime-order groups. 

More recently, Freeman m and Garg, Sahai, and Waters m have proposed 
methods for transforming schemes secure in the composite-order setting into ones 
secure (under different but analogous assumptions) in the prime-order setting. 
Freeman, in particular, identifies two properties of pairings on composite-order 
groups, projecting and cancelling, and shows how either can be obtained in prime- 
order groups. He then demonstrates how to transform several known cryptosys- 
tems that rely on one of these properties from composite- to prime-order groups. 

Our contribution: limits on transformations from composite to prime order. In 
this paper, we show limits to the feasibility of composite-to-prime transforma- 
tions such as those mentioned above, suggesting that some schemes cannot be 
transformed mechanically from one setting to the other. In our main theorem, 
Theorem lti.5l we show that no pairing over prime-order groups can — except in 
a negligible fraction of cases — be both projecting and cancelling when subgroup 
indistinguishability relies in a natural way on fe-Linear, where “natural” simply 
means that we follow the definition of the assumption as closely as possible. 

If no cryptosystem required a pairing that is both projecting and cancelling, 
however, our Theorem lfi.51 would not be particularly interesting. As such, we 
present a new cryptosystem — a natural pairing-based blind signature scheme 
that is of independent interest, and discussed below — whose proof of security 
calls for a pairing that is both projecting and cancelling]! 

Blind signatures were introduced by Chaum in 1982 [T7j . In a blind signature 
scheme, a user interacts in a protocol with a signer to obtain a signature on a 
message of the user’s choice. When the protocol execution ends, the user obtains 
the signature but the signer learns nothing about the message that was signed. 
Blind signatures have been used as a building block in a variety of applications, 
including electronic cash m and electronic voting fTT) . 

One useful feature of a blind signature scheme is concurrency. For example, if 
a blind signature used to build an electronic cash system does not retain its secu- 
rity even when the signer engages in multiple protocol executions concurrently, it 
leaves the issuing bank susceptible to denial-of-service attacks. Concurrency turns 
out to be as difficult to achieve for blind signatures as it is for other cryptographic 


1 A family of progressively strictly weaker decisional assumptions, where 1-Linear is 
DDH and 2-Linear is DLIN. 

2 We emphasize that it is the security proof, not the statement of the scheme, that uses 
the two pairing properties. We thus do not rule out the possibility that a different 
proof strategy will show our scheme secure in prime-order groups. 
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protocols. While many blind signature schemes have proofs of security only for 
sequential executions of the protocol, the problem is not merely with proofs. In 
one example, Martinet, Poupard, and Sola m show that signatures in a partially 
blind signature scheme of Cao, Lin and Xue [03 are forgeable if the signer interacts 
with two users concurrently. 

Our contribution: a round-optimal blind signature scheme. As mentioned above, 
we present a new pairing-based blind signature scheme. Our blind signing pro- 
tocol is round-optimal: it consists of only two moves (a request and a response) , 
which implies that it is secure even in the presence of concurrent signing proto- 
col executions. Our scheme is practical, has a proof of security (without random 
oracles) in the common reference string model, and relies for its security on 
falsifiable and non-interactive assumptions: computational Diffie-Hellman and 
Subgroup Hiding. These assumptions are milder than those used in any previ- 
ous practical concurrently secure blind signature, including those in the random 
oracle model. ( “Practical” in this sense means not relying on general NIZKs for 
NP as a building block.) Our scheme extends in a natural way to give a partially 
blind signature scheme [3] with the same properties. 

Our blind signatures combine the Waters signature scheme |3Sj with non- 
interactive witness-indistinguishable proofs developed in a line of papers by 
Groth, Ostrovsky, and Sahai |HOI29l.‘dl 1| . In this structure our scheme is related to 
the group signature scheme of Boyen and Waters |T3 . The primary disadvantage 
of our scheme, as with the Boyen- Waters group signature, is its bit-at-a-time na- 
ture, which makes the user’s blind signing request large: some 40 kilobytes at 
the 1024-bit security level. The signer’s response and the resulting signatures, 
however, are short. 

Related work. The blind signature literature is extensive and varied. Below, we 
briefly survey the most closely related schemes with concurrent security; see |5l4j 
for more complete recent treatments. 

In the random oracle model, there exist elegant round-optimal blind signa- 
tures, due to Chaum [E! and Boldyreva [El, that feature short public keys, 
short signatures, and an efficient blind signing protocol. Unfortunately the se- 
curity proofs for these schemes rely on strong interactive assumptions: the RSA 
known-target inversion assumption |Jj| and the chosen-target CDH assumption 
(by contrast, the underlying ordinary signatures can be shown secure using RSA 
and CDH, respectively). 

In the common reference string model, several practical concurrently secure 
blind signature schemes have been proposed. Unlike our scheme, these schemes 
rely on assumptions that are interactive or whose statement size grows with 
the number of queries in the reduction (i.e., “g-type”). Kiayias and Zhou 
give four-move blind and partially-blind signature schemes secure under the 
(interactive) LRSW assumption j3Zj, the Paillier assumption fi ! 1\ . and DLIN. 
Okamoto E3 gives four-move blind and partially blind signature schemes based 
on the (g-type) Two- Variable Strong Diffie-Hellman assumption and Paillier. 
Fuchsbauer gives two-move blind signature schemes based on the (g-type) 
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Asymmetric Double Hidden Strong Diffie-Hellman assumption, the Asymmet- 
ric Weak Flexible CDH assumption, and DLIN. Finally, Abe, Haralambiev, and 
Ohkubo 0 give two-move blind signature schemes based on the (g-type) Simul- 
taneous Flexible Pairing assumption and DLIN. (The last two papers appeared 
together as 0.) 

Also in the common reference string model, blind signatures that use general 
NIZKs for NP (and are therefore not practical) were given by Juels, Luby, and 
Ostrovsky (211, Fischlin |22j, and Abe and Ohkubo |Sj. The Fischlin and Abe- 
Ohkubo schemes are round-optimal. 

Okamoto @0( finst observed that the Waters signature can be combined with 
witness-indistinguishable proofs for a simple NP language to yield blind and 
partially blind signatures. Our scheme could be viewed as an instantiation of 
Okamoto’s framework (though we blind the message differently) where we take 
advantage of Groth-Ostrovsky-Sahai proofs to eliminate a round of interaction. 

Until recently, no concurrently secure blind signature schemes were known in 
the plain public-key model. The first such scheme was given by Hazay et al. (22|; 
it relies on general NIZKs, and its round complexity is poly-logarithmic in the 
number of concurrent executions for which security must be guaranteed. 

Applications and extensions. Finally, as an application of our techniques, we 
show (in the full version of our paper m) how our blind signatures may be used 
within the Waters IBE system @2| to yield a blind IBE scheme, as introduced 
by Green and Hohenberger m, Compared to Green and Hohenberger’s blind 
extraction protocol, our protocol achieves concurrent security but adds a com- 
mon reference string and a reliance on the SGH assumption^ Furthermore, the 
Waters signature naturally extends into a hierarchical identity-based signature 
(cf. @2(); applying our construction at level 2 of the resulting signature gives 
an identity-based blind signature |47| concurrently secure in the common refer- 
ence string model0 Alternatively, using the Boyen- Waters group signature @Sj 
at level 1 of the hierarchy and our blind signature at level 2 gives a group blind 
signature m concurrently secure in the common reference string model. 

2 Mathematical Background 

In this paper, we work with bilinear groups, which are cyclic groups G of some fi- 
nite order that admit a nondegenerate bilinear map e: G x G — > &Y- Because we 
generalize the concept of a group and work with modules, we are able to describe 


3 The efficient range proofs due to Boudot UK rely on the Strong RSA assumption 
(due to Baric and Pfitzmann @1) and require a common reference string. If the 
scheme of Green and Hohenberger is instantiated with these range proofs then its 
assumptions and setup model are comparable to those of our scheme, but without 
providing concurrent security. 

4 One could also obtain an identity-based blind signature through generic composition 
of our blind signature and an ordinary signature |2SI ■ 
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our scheme without relying on any particular properties of the underlying group 
(with the caveat, as mentioned above, that the scheme is provably secure only 
for composite-order groups). 

2.1 Modules 

We first recall the definition of a module; this serves as the foundation for our 
blind signature scheme, and more specifically for the Groth-Sahai commitments 
used in our scheme. (See j7TJ Ch. 10] for further background on modules.) 

Definition 2.1. Let (1Z, +, ■, 0, 1) be a finite commutative ring. An IZ-module A 
is an abelian group (A, +,0) such that there exists an operator (namely, scalar 
multiplication) IZx A — » A, denoted by (r, x) m ► rx, satisfying the following four 
properties for all r,s£ 1Z and x,y £ A: 

— (r + s)a; = rx + sx. 

- r(x + y) = rx + ry. 

- r(sx ) = ( rs)x . 

— lx = x. 

When A is written multiplicatively our operator becomes exponentiation and 
the requirements are written as x r+s = x r ■ x s , (x ■ y) r = x r ■ y r , (x r ) s = x rs , 
and x 1 = x for all r,s £lZ and x,y £ A. 

The concept of a module generalizes that of a vector space: when 1Z is a field, 
the definitions of an 7^-module and an 7^-vector space coincide. The concept 
of a module also generalizes the concept of an abelian group, as any abelian 
group can be viewed as a Z-module. If A is isomorphic to W as abelian groups, 
then r is the rank of A. When 1Z is a field, module rank is the same as vector 
space dimension. In cryptography, we are most used to working with Z/nZ- and 
Fp-modules; for example, any finite group of exponent p can be viewed as a 
Fp-module. 


2.2 Groth-Sahai Commitments 

Groth and Sahai m devise two types of commitments: commitments to elements 
in an 7£-module A, and commitments to elements in the ring 7 Z. For our purposes, 
we will need only commitments to bits; we can simplify things even further by 
always setting A = G for our bilinear group G. 

To form commitments to module elements, Groth and Sahai define an 7 Z- 
module B and two homomorphisms r : A — > B and p : B — » 1 Q These maps are 
defined such that, for some elements hi, ... , h m in B, p(hi) = 1 for all i and p is 
non-trivial for all x that are not contained in B\ := (hi , ... , h m ). A commitment 
to a; € A is then defined as c(x) = t(x) YYILj h? for random values ri, . . . , r m «— 
1Z. This means that the hi elements act as keys for the commitment scheme, 
and that the common reference string is (TZ, A, B,r, p, hi, ... ,h m ). There are 
two cases: 

5 Our notation differs from that of Groth and Sahai, but the ideas are the same. 


524 S. Meiklejohn, H. Shacham, and D.M. Freeman 


— Hiding keys: in this case, the hi elements generate the whole module B: in 
other words, B\ = (hi , . . . , h rn ) = B. This implies that t(A) C B\, which 
means that c(x ) will be perfectly hiding (as each commitment will be a 
random element of B). 

— Binding keys: in this case, B\^ B and p(c ) = p(r(x)h r ) = p o t(x) for some 
restricted space of inputs x. To determine what this restricted space is, we 
see that c will generally reveal the coset of -Bi where t(x) lives. Thus in 
order for the commitment to be perfectly binding we must restrict the space 
of inputs x to be the inverse image of B? ~ B/By because we know that 
Bi 7^ B, both B'2 and r _1 (B-2) are non- trivial and so this domain restriction 
is actually meaningful. (Since B is an abelian group, the quotient module is 
always well-defined.) 

It is clear from these definitions that a set of keys cannot be both hiding and 
binding, as the settings require very different properties of the commitment 
keys hi,..., h m . To get any meaningful blindness properties, however, we need 
these two settings to be indistinguishable. We therefore require an assumption 
that implies this indistinguishability; the choice of assumption depends on the 
instantiation being used. 


3 Security Notions for Blind Signatures 

We define a blind or partially blind signature scheme in the common reference 
string (CRS) model to be a collection of four protocols: a Setup(l fc ) algorithm 
that outputs the CRS ucrs, a KeyGen (acRs) algorithm that outputs the signing 
key pair ( pk,sk ), a BlindSign protocol, which consists of an interaction of the 
form User(acRS/pk, M ) <-> SignerfercHS, sk) (in which the signer outputs success 
if the protocol is successful, and the user outputs success and the unblinded sig- 
nature cr), and finally a Verify (<7 crs, pk, M, a) algorithm that outputs accept if 
the signature is valid and fail if not. 

In general, there are two properties that blind and partially blind signatures 
must satisfy: blindness and one-more unforgeability. Informally, the blindess re- 
quirement says that in the process of signing a user’s message, the signer does 
not learn anything abut the message he is signing. The one-more unforgeability 
requirement says that if the user interacts with the signer i times, then he should 
be able to produce l signatures and no more (so in particular, he cannot produce 
i + 1). We now describe these properties more formally. 


3.1 Blind Signatures 

Formal definitions of blind signatures were introduced by Juels, Luby, and Ostro- 
vsky m, although both properties were considered informally in Chaum’s origi- 
nal paper on the subject HE , and one- more unforgeability was considered formally 
in Pointcheval and Stern’s work on security arguments for signatures 
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In the Juels-Luby-Ostrovsky formalization, the blindness property is defined 
as follows: the adversary is given a public-private key pair and outputs two mes- 
sages Mo and Mi. He then engages in two signing protocols with honest users: 
the first user requests a signature on message M b and the second on message 
Mi_ 6, where & is a random bit unknown to the adversary. The adversary is then 
given the resulting signatures <jq and eri, but only if both interactions are suc- 
cessful, and his goal is to guess the bit b (given the messages, the corresponding 
signatures, and the signing protocol transcripts). 

In this paper, we use a stronger version of the blindness property which allows 
the adversary to generate the signing key pair himself, possibly in a malicious 
manner. This strengthening was proposed independently in several recent pa- 
pers fill 11351 . 

The one-more unforgeability property can be defined as follows: the adversary 
is given a public key and engages in multiple executions of the blind signing 
protocol with a signer; the adversary is able to choose how to interleave the 
executions. At the end, the adversary is considered successful if he is able to 
output l+l distinct message-signature pairs (Mi, ay), . . . , (Mg+i, <re+i), where 
l is the number of executions in which the signer outputs success. 

In this definition, two message-signature pairs (M*, <jj) and ( Mj,crj ) are con- 
sidered distinct even if M* = Mj (so if er,- and <Tj are just two different signatures 
on the same message) for i ^ j. Unfortunately, this means that any signature 
scheme in which signatures can be re-randomized (like our signature scheme, as 
we will see in Section BJ will automatically be unable to satisfy one-more un- 
forgeability. We therefore weaken the property by requiring that the adversary 
be unable to output l+l message-signature pairs in which the messages are all 
distinct @ This modified definition was also considered recently by Okamoto EH- 

We put all this information together and give a formal definition of security 
for blind signature schemes in the full version of this paper j2H| ■ 


3.2 Partially Blind Signatures 

The security properties of blind signatures can also be extended to partially blind 
signatures; these formalizations are due to Abe and Okamoto |jj|. For partially 
blind signatures, the adversary outputs two info strings info ^ and info ^ in 
addition to its messages Mo and Mi. It then interacts with two separate users in 
the same manner as before, except this time the first user requests a signature on 
Mf, using info ^ and the second requests a signature on Mi_& with info info^'K 
The adversary is given the resulting signatures oq and o\ if both interactions 
were successful and if info ^ = info'^K As before, his goal is to guess the bit b. 

The one-more unforgeability property is also quite similar to the property for 
blind signatures; here, the adversary is allowed to choose the info string for each 
interaction with the signer. The goal is then for the adversary to output an info 


We observe that blind signatures satisfying this weakened unforgeability property 
are still sufficient for e-cash and other standard applications of blind signatures. 


526 S. Meiklejohn, H. Shacham, and D.M. Freeman 


string info* as well as t + 1 message-signature pairs (Mi, cti), . . . , (M( +l , eq+i), 
where l represents the number of interactions in which the signer output success 
while using the info string info*. 

4 Underlying Signature Scheme 

As our underlying signature scheme we use a slightly modified version of the 
Waters signature scheme 0£]. Essentially, we just need to generalize the Waters 
signature scheme by bringing it into the language of modules so that we can use 
it in combination with Groth-Sahai commitments to create our blind signature 
scheme. 


4.1 CRS Setup 

For the Waters signature, the required elements for the common reference string 
are a bilinear group G, the target group Gt and the bilinear map e: Gx G —> Gt, 
as well as generators g,u',ui, . . . ,Uk for G, where k denotes the length of the 
messages to be signed. We now add in the elements discussed in Section 12.21 
we start with a ring 1Z such that G can be interpreted as an 7£-module. We 
then add in an 7£-module B, a map t: G — » B, a map p: B — > G, and 
a bilinear map E: B x B — > Bt, which also requires us to specify a target 
module Bt and the resulting tt and pr maps. This means that the CRS will 
be o s i g = (1Z, G, Gt, B, Bt, e, E, r, tt, p, Pr,g, u', u\, . . . , Uk )• The relations be- 
tween all these maps are summarized in the following figure: 


G x 

G - 

► Gt 

T || P 

T H P 

Tt 

r 

B x 

B 

— *b t 


Fig. 1 . Commutative diagram for our modules 


4.2 Signing Protocol 

In our generalized Waters signature, the size of the message space will be {0, l} fc 
for some value k (for example, to use hash-and-sign with SHA-1 as the hash 
function we would set k = 160). As noted above, the CRS, which is shared 
between the user and the signer, will contain k + 1 random generators of G. 

- Setup(l fc ) : Output a tuple a sig that has been computed as described in the 
previous section. 

— KeyGen(cr s j g ): Pick a random value a<—1Z and set A = E(r(g), T(g)) a . The 
public key will be pk = A and the secret key will be sk = a (actually, r(f/)“ 
will suffice). 
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— Sign(cr s i g , sk, M): Write the message out bitwise as M = bi . . .bk, and write 
sk = T(g) a . Pick a random r <—1Z and compute 

Si = i~(g) a (t(u') r(ui) 6i ) and S 2 = T(g)~ r . 

Output the signature a = (Si,S 2 ). 

- Verify (a sig ,pk, M, a): Again, write the message out bitwise as M = b\ . . . fy,; 
also write the signature as cr = {Si , .S' 2 ) and the public key as pk = A. Check 
that these values satisfy the following equation: 


E(Si,r(g)) ■ E^S 2 ,t(u') ]~[r(uj) 6i ) = A. (1) 

-jnI 

If they do, output accept; else, output fail. 

One nice property of the Waters signature (and our extended Waters signa- 
ture) is that anyone can re-randomize a signature by choosing s <— 1Z and com- 
puting S[ = S i • Hi T(ui) bi ) and S' 2 = S 2 ■ r(g)~ s . Since this results 

in S[ = r(g) a (t{u') T(ui) bi ) r s and S' 2 = T(g)~ ( - r+s \ the re-randomization 
process really does give us a valid signature. In particular, the randomness in the 
resulting signature ( S[,S 2 ) will be information-theoretically independent from 
the randomness r chosen by the signer in the signature (S'i, S' 2 ). 

We recall the computational Diffie-Hellman (CDH) assumption used for the 
Waters signature: 

Assumption 4.1. Let Q be an algorithm that outputs a tuple ( q,G,g ), where 
G is a group of order q (not necessarily prime) and g is a generator of g. We 
say that G satisfies the computational Diffie-Hellman assumption if it is com- 
putationally infeasible to compute the value g ab given the tuple ( g,g a ,g b )• More 
formally, for all PPT adversaries A there exists a negligible function u(-) and a 
security parameter ko such that the following holds for all k > ko: 

Pr[(q,G,g)^g(l k y, a,b^Z q : A(g, g\ g b ) = g ab ] = v(k). 

The Waters signature scheme is existentially unforgeable if G satisfies the CDH 
assumption. In our extended version, the signature scheme will be existentially 
unforgeable if B satisfies the CDH assumption. As the proof is a trivial extension 
of Waters’ proof, we will not include it here. 


5 Our Blind Signature Scheme 

In this section we describe our blind signature scheme. Although we describe 
only the partially blind setting, our description also encapsulates the fully blind 
setting, which corresponds to the case ko = 0. 



528 S. Meiklejohn, H. Shacham, and D.M. Freeman 


5.1 CRS Setup 

In our CRS we must include all the necessary elements for Groth-Sahai commit- 
ments as well as values in the tuple a S i g of Section 14. II This means our CRS will 
be a crs = (&sig,h i, . . . , h rn ), where the h t elements are binding keys for Groth- 
Sahai commitments. Specifically, the elements hi generate a proper submodule 
i?i of the module B used in the Waters signature scheme. 

5.2 The Partially Blind Protocol 

In the following protocol, the user and signer both have access to an info string 
info. At the end of the protocol, the user obtains a signature on info\\M for a 
message M, while the signer learns nothing beyond the fact that the message M 
followed the guidelines laid out in info. In addition, the user and the signer will 
have agreed upon the length of the info string; call it ko for 0 < fco < k. Setting 
ko = 0 corresponds to a fully blind signature, while setting ko = k corresponds 
to an ordinary run of the (generalized) Waters signature scheme. 

- Setup(l fe ): Output a crs as described in the previous section ( Section mi) . 

- KeyGen (a crs)' Same as KeyGen from Sectional 

— User (o crs -/ pk, info, M): First write the info string out bitwise, as info = 
b\ . . . bk 0 , and similarly write the message as M = bk 0 +i ■ . - bk- Now, for each 
i such that ko <i< k, pick random values tn , . . . , f— 7 Z and compute 

Cj = r{ui) bi • rff 3 and 7 r^- = ^r(uj) 26i_1 ■ h , 
i=i i=i 

where c* acts as a GS commitment to the bit 6j and 7?,; = { TTij}jL 1 acts as 
a proof that the value contained in c, ; is in fact a 0 or a 1. Send the tuple 
req = (ck 0 +i- TTk 0 +i- ■ ■ ■ , Cfe, 7?^) as a request to the issuer (and save some 
state information state). 

— S\gner(acRS,sk,info,req): First, write info = b\...bk 0 and sk = r(g) a . 
Upon receiving the request, check that each c* is indeed a commitment to a 
0 or 1 by checking that 

E(a, T{ui)- l Ci) = UT=i ( 2 ) 

for each ko < i < k. If this equation fails to hold for any value of i, abort 
the protocol and output _L. Otherwise, compute the value 

c=r(uO(rirK) 6i )( II c 0' 

*=1 i=ko+l 

Finally, pick a random value r <— 1Z and compute 

K\ = T(g) a ■ c r , K 2 = r(g )~ f and K$j = hj r for 1 < j < m. 

Set Ko = {K 3j }f =1 , send the tuple (Ki,K 2 , Ko) back to the user, and output 
success and info. 


Limitations on Transformations from Composite- to Prime-Order Groups 529 


— User (state, (ify , K 2 , A 3 )): First, check that K 2 and K 3 were formed properly 
by checking satisfiability of 

E(K 3 j ,r(g))=E(K 2 ,h j ) (3) 

for each 1 < j < m. If this equation does not verify for some j, abort and 
output _L. Otherwise, unblind the signature by computing 

k m 

Si = K\ Yl and S 2 = K 2 . (4) 

i=feo+lj'=l 


Next verify that this is a valid signature on info\\M by running Verify (cjcrs, 
pk, info\\M, (Si, S 2 )). If this step outputs fail, abort the protocol and output 
_L. If it outputs accept, however, re-randomize the signature by choosing a 
random value s <—TZ and computing 

k 

S{ = Si (r[v!) T(ui) bi j and S' 2 = S 2 - r(g)~ s . 

The final signature is a = (S { , S 2 ): output a as well as info and success. 

- Verify (<t M, cr): Same as Verify from Sectional 

Theorem 5.1. The blind signature scheme outlined above is correct and par- 
tially blind, under the assumption that the hi values in the hiding and binding 
settings are indistinguishable. 

The proof of Theorem 15.11 appears in the full version of this paper (2H| ■ The 
theorem demonstrates correctness and (partial) blindness, but it does not show 
one-more unforgeability. In order to prove this last property, we need to define 
two properties of pairings, adapted from Freeman (23J §3] for our purposes: 

Definition 5.2. A pairing E: B x B — > is cancelling if there exists a de- 
composition B = Bi x B 2 such that E(b \ , b 2 ) = 1 for all b\ £ Bi, b 2 £ B 2 . 

Definition 5.3. A pairing E: BxB-» Bt is projecting if there exists a decom- 
position B = Bi x B 2 , a submodule B' T C Bt, and homomorphisms n: B — > B 
and 7 tt : B T — * B T , such that Bi C kerfy), 7r(a;) = x for x G B 2 , B' T C kerfy-r), 
and 7 T T (E(x,y)) = E(ir(x),Tr(y)) for all x,y G B. 

As we will see below, the pairing E has both of these properties (with respect 
to the same decomposition B = Bi x B 2 ) when instantiated using composite- 
order groups under the Subgroup Hiding (SGH) assumption. Because SGH also 
provides the necessary indistinguishability properties, we obtain the following 
theorem, a proof of which can be found in the full version of this paper ES|: 

Theorem 5.4. The blind signature scheme outlined above is one-more unforge- 
able under the SGH assumption and the assumption that the modified Waters sig- 
nature scheme in Section^is existentially unforgeable on the submodule B 2 C B. 
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5.3 Instantiation under the SGH Assumption 

We first recall the Subgroup Hiding (SGH) assumption: 

Assumption 5.5 (d). Let Q be an algorithm that outputs a tuple (p, q, G, 
Gt, e ) such that G and Gt are both groups of order n = pq and e: GxG-t Gt 
is a nondegenerate bilinear map. We say that G satisfies the Subgroup Hiding 
assumption if it is computationally infeasible to distinguish between an element of 
G and an element of G q . More formally, for all PPT adversaries A there exists 
a negligible function u(-) and a security parameter ko such that the following 
holds for all k > ko: 

|Pr [(p, q, G, G t , e) *- g( l fe ); n = pq-,x^G: A{n, G, G T , e, x) = 0] 

- Pr[(p, q, G, G t , e) «- Q{ l fe ); n = pq-,x^G: A(n, G, G T , e, x p ) = 0] I < i '(k). 

To instantiate our blind signature scheme under this assumption, we use a group 
G of order n = pq with p, q prime. We define B = G and r to be the identity 
map; this means that we can use E = e. We need only one hi element, namely an 
h\ such that hi generates G q in the binding setting and hi generates the whole 
group G in the hiding setting. The SGH assumption tells us that these choices of 
hi are indistinguishable. We can also describe our p map as p(a) = c\ = (uf) bi 
since hi has order q. Because the Ui are all generators for G and therefore u- yt 1 . 
we see that the p map will indeed reveal the bit Ip . 

Because hi will generate either G or G q , we have B = G p x G q , which means 
(looking back at the statement of Theorem 15.41) that we assume for the secu- 
rity of our blind signature that CDH is hard in G p . To see that the pairing 
e is cancelling, note that every element of G p can be written as a = g aq for 
some a G F p and every element of G q can be written as as b = g !bp for some 

G F g . Then e(a,b) = e(g aq ,gP p ) = e(g a/Spq ,g) = e((g n ) a P,g) = 1 because G 
has order n. To see that e is projecting, note that there exists a A G Z„ such 
that A = 1 mod p and A = 0 mod q, and that furthermore this value is efficiently 
computable (given the factorization of n) using the Chinese Remainder Theo- 
rem. Thus exponentiating by A cancels out the G q component of a group element 
while leaving the G p component unchanged. This allows us to define n(z) = z x 
for z G G and ttt(zt) = (zt) x for zt € Gt- These maps are easily seen to satisfy 
the projecting properties. 

Finally, to compute the value hi we can set hi = g in the hiding setting 
and hi = g p in the binding setting. This means that, as with the map p, the 
factorization of n will be required as a trapdoor to compute hi. 

The obvious downside of using our scheme under the SGH assumption is the 
use of a composite-order group, which necessitates a common reference string 
generated by a trusted third partyQ The upside, on the other hand, is that the 


7 It is an open problem to replace the trusted third party with an efficient secure 
multiparty computation protocol for computing the CRS. 
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scheme is as efficient as possible under this assumption, as each part of the 
signature involves only one group element @ 

6 Converting to a Prime-Order Setting 

In this section we argue that our scheme cannot be instantiated securely under a 
natural usage of the fc-Linear family of assumptions in prime-order groups. The 
fc-Linear family generalizes the Decision Diffie-Hellman and Decision Linear EH 
assumptions (which can be recovered by setting k = 1 or 2, respectively) and is 
defined as follows: 

Assumption 6.1 ( |4f>li33j 1 . Let Q be a generation algorithm, that outputs a tu- 
ple (p, G, g) such that p is prime, G is a group of order p, and g is a generator of 
G. We say that G satisfies the k-Linear assumption if it is computationally infea- 
sible to distinguish between tuples of the form ( g ai , . . . , g ak+1 , g airi , ■ ■ ■ ,g akrk , 
g a k+iEi=in) and tuples of the form {g ai , . . . , g ak+x , g axri , . . . , g ak+xrh+1 ) for 
random ai,ri <— F p . More formally, for all PPT adversaries A there exists 
a negligible function u(-) and a security parameter ko such that the following 
holds for all k > ko: 


Pr 

' (p,G,g)^g(l k ) 

: A(g ai , . 

■ ■,g°‘ k+1 ,g°‘ iri , 


‘3 = o 








'(p,G,g)<-g( l fc ) 





Pr 

: Ag ai ,• 

• • » g ah+1 , g airi > 

. . . , g ak + ir * 

,+1 3 = o 

<"(*). 


Let G be a bilinear group of prime order p with a pairing e: G x G — > Gt- 
When we refer to a “natural” use of the fc-Linear assumption, we mean that 
we define the module B to be G k+1 and the module B\ to be generated by k 
elements of B that span a rank-fc submodule. Indeed, one way to interpret the 
fc-Linear assumption is that a random element in the submodule Bi of G k+1 
generated by elements of the form (1, . . . , 1, g ai , 1, . . . , 1, g) for i = 1, . . . , k is 
indistinguishable from a random element of G k+i . Our use of the assumption 
generalizes this interpretation only slightly, by randomizing the generators of 
Bi. Note that in our setup the quotient module B 2 = B/Bi has F p -rank 1. 

Following Freeman m §2], we define a (symmetric) pairing on B by setting 
Bt = (Gt) 7 ” for some integer m and choosing (k + 1) X (k + 1) (symmetric) 
matrices EW over F p for £ = 1, . . . ,m. We then set the fth component of the 
pairing to be 

£;((3i,...,5f fc+ i),(/ii,...,/i fc+1 )) ( ) := n e(gi,hj) e v , ( 5 ) 


8 Of course, the number of bits taken to represent the composite-order group element, 
approximately 1024, is much larger than it would be for a prime-order group element, 
which can be as small as 160 bits (at the 80-bit security level). 
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where eff denotes the (i,j )- th entry of E^\ The connection between this setup 
and the fc-Linear assumption is given by the following theorem: 

Theorem 6.2 ( pit Theorem 2.5]). Let G,B,Bi,B t be as described above, 
with B\ a uniformly random rank-k submodule of B. If G satisfies the k-Linear 
assumption, then a random element of B\ is computationally indistinguishable 
from a random element in B. 

While any scheme based on Groth-Sahai proofs requires the projecting property 
of Definition 15.31 and the indistinguishability of elements in B[ and B (i.e., 
the indistinguishability of hiding and binding commitment keys), our scheme 
also requires the cancelling property of Definition 15.21 In the remainder of this 
section, we show that for any k, the three properties (projecting, cancelling, 
and key indistinguishability) cannot simultaneously be obtained in prime-order 
groups using the fc-Linear assumption as described above, except with negligible 
probability (over the choice of the module Bi). 

We start by showing that the image of a symmetric pairing on a group G of 
prime order p must also have order p. In what follows, we denote by E(B, B) 
the submodule of Bt generated by all elements of the form E(x. y) for x. y G B. 

Lemma 6.3. If G is a group of prime order p and e : G x G — > Gt is a nonde- 
generate symmetric bilinear map, then the order of e(G, G ) is p. 

Proof. We first observe that e(G, G) has exponent p: to see this, note that since 
G has order p, we have e(x,y) p = e(x p ,y) = e(l ,y) = 1 for any x,y G G. 
Since e(G, G) has exponent p, any element is of the form z = n, e { x ii ViY H f° r 
Xi , yi G G and Cj G F p . Since G is cyclic, we can write Xi = g ai and y t = 
g bi for a generator g and unique a,; , b, G F p . By bilinearity, we can write £ = 
e (l j,g)^i a ‘ biCi , and therefore e(G, G) is a cyclic group generated by e(g. g): the 
nondegeneracy of e implies that e(g, g) has order p. □ 

Lemma, 16.31 shows that by replacing Gt with e(G,G), we may assume without 
loss of generality that Gt has order p. We make this assumption in the remainder 
of the section. We will also assume that the values used to define the pairing 
E on the module B are independent of the submodules B\ and B2; if they are 
not independent, then the fact that they are related to the (publicly known) 
generators of B 1 gives an adversary information about B\ that could be used 
to break the indistinguishability assumption. Similarly, if the pairing depends 
on B2, then the adversary may be able to use this information to compute an 
element y G B2', then given an element x in either B\ or B, he could compute 
E(x,y) and conclude that x G f?i if and only if the resulting value is 1. 

We can now show that in the prime-order setting our indistinguishability 
restrictions on B and its submodules will, with high probability, yield a pairing 
E that can be either projecting or cancelling, but not both at the same time. 
Our approach is to construct a cancelling pairing and then show that it implies 
that the image of the pairing E is of order p. We will then show that this implies 
that the pairing cannot satisfy the projecting property. 
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In general, there are two methods in the literature for cancelling paired group 
elements. As seen in Section EH the cancelling in the composite setting is fairly 
straightforward: it follows from the fact that the orders of the G p and G q sub- 
groups are relatively prime. In a prime-order setting this is not an option, as 
every component (i.e., G, Gt, B, Bi, B 2 , B T ) has exponent p. We therefore 
need to use linear combinations of exponents in order to successfully cancel ele- 
ments. Our next result can be interpreted as showing that forming these linear 
combinations requires us to combine elements in the pairing and thus shrink 
the size of the pairing’s image. To simplify notation, we state the proposition 
relative to the ( k — 1)-Linear assumption. 

Proposition 6.4. Let G be a bilinear group of prime order p with pairing e: Gx 
G — > Gt- Let B be the rank-k G-module G k , let Bt = (Gt)" 1 for some positive 
integer m, and let E: B x B — > Bt be a nondegenerate pairing defined as in Q ■ 
If Bi is a uniformly random rank-(k — 1) submodule of B and E is a cancelling 
pairing that is independent of the decomposition B = 5i x B 2 , then e(B,B) has 
order p with overwhelming probability. 

Proof. To start, we write elements in B as either a = (oi,...,afc) or b = 
(pi,.. ., bk) with cq, bi £ G. Equivalently, we can fix a generator g of G and 
write a = (g ai , ■ ■ ■ ,g ak ) and b = (gA, ■ ■ ■ , g^ k ) for exponents ct* , /?* £ F p . As we 
saw in Q above, the element E( a, b) £ Bt is a tuple of elements of Gt, in which 
each entry is of the form T = 3 e(aq, bj) eij . By assumption, the coefficients 

eij £ F p are independent of the on and d, values. 

Suppose that a £ Bi and b £ B 2 \ let us see what we require in order to 
have T = 1. Let ai, . . . , a£_i be a set of generators of B \ , and write a„ = 
( g aul , . . . , g 0 '*-*- 1 ) for u = 1, . . . , k — 1. Then a general element of B\ is given 
by a = a ri • • • a rfc - 1 for arbitrary n, . . . , rk-i £ F p . Since Bi has rank k — 1, 
the submodule B 2 has rank 1 and a general element of B 2 is given by b = 
(<jA*, . . . , g’ ,ikt ) for some fixed /?i, . . . ,/?*, £ F p and arbitrary t £ F p . Looking 
back at how our element T is computed in ©, we can see that the condition 
T = 1 is equivalent to 



In matrix notation, this is r-A-E-b-t = 0, where r is the row vector (n, . . . , 

E = [eij] is the k X k matrix specifying the pairing coefficients (denoted E^ in 
0), A = [a u i] is the (k-l)xk matrix whose rows are the vectors corresponding 
to the generators of Bi, and b is the column vector (pi,. . . ,Pk )• Because this 
requirement must hold for all values of f and t, we can further reduce the equation 
to A ■ E ■ b = 0. We now consider two different cases: when E is invertible and 
when E is singular. 

We first consider the case where E is singular. The cancelling property requires 
that A - E -b = 0. If E -b = 0, then the pairing is degenerate in this component, 
as any element paired with b will be 1. Therefore, this cannot be the only type 
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of element in the pairing tuple, or else the entire pairing would be degenerate. 
On the other hand, if E ■ b ^ 0, then since A ■ E ■ b = 0, we see that E -b is a 
nonzero vector in both the image of E and the kernel of A. 

Next we consider the case where E is invertible, and consider not only the 
element T but also another element T' in the target tuple. The element T' 
will have its own associated coefficient matrix E', with the requirement that 
A ■ E' ■ b = 0. Then we have A ■ E ■ b = A ■ E' ■ b = 0. which implies that b is 
contained in both the kernel of A ■ E and the kernel of A ■ E' . Since A has rank 
k — 1 and we are assuming E to be invertible, we know that the dimension of 
ker(A • E) is 1. Furthermore, since E is invertible we can write 

A - E' - b = A - (E ■ E - 1 ) ■ E' - b = A - E • (FT 1 • E' ■ b) = 0, 

which implies that E~ 1 E' ■ b is also contained in the kernel of A ■ E. Since 
this kernel is one-dimensional, E~ l E’ ■ b must be a constant multiple of 6; i.e., 
E~ 1 E' ■ b = A • b for some AsF p and b is an eigenvector of E^ 1 E' . 

We now observe that because A has rank k — 1, its kernel has rank one; 
furthermore, choosing a rank-(fc — 1) submodule B\ is equivalent to choosing 
the one-dimensional subspace ker (A). Since E is invertible and independent of 
Bi, this is equivalent to choosing the one-dimensional subspace ker(A • E). Let 
u be any vector in ker(A • E). Then u = 7 • b for some 7 £ F p , and our analysis 
above shows that u is an eigenvector of E~ 1 E. Since ker(A • E) can contain 
any nonzero vector u, this implies that every vector is an eigenvector of E~ l E. 
Therefore E~ 1 E' must be a diagonal matrix with the same value in each diagonal 
entry; in other words, we have M~ 1 E' = cl for some constant c £ F p . Thus we 
have E' = cl ■ E = c • E, and so T' = T c . 

It remains only to put everything together. Let be the coefficient matrix 
from © used to compute the fth component of the pairing. Our argument above 
shows that if one of the matrices 1 is invertible, then all matrices E™ ' are 
constant multiples of E^\ and therefore the order of e(B. B) is the same as 
the order of e(G, G) = Gt, which is p. Thus if the pairing E is cancelling and 
the order of e(B, B) is greater than p, then none of the matrices E™* can be 
invertible. 

Now suppose all of the E^ are singular. Our consideration of this case above 
shows that if the pairing E is cancelling, then there must be some matrix E W 
with ker(A)nim(FJ^^) ^ {0}. As noted above, choosing the module B[ is equiva- 
lent to choosing the one-dimensional subspace ker A. Since E^ is not invertible, 
we have diin(im(T^^)) < k — 1. Thus the number of one-dimensional subspaces 
in im(.E^) is at most (p k ~ l — lj / (p — 1), while the number of one-dimensional 
subspaces in F p is (p k — 1)/ (p— 1). We conclude that the probability (taken over a 
uniformly random choice of ker(A) and thus also of A) that ker (A) has nontrivial 
intersection with the image of E^> is at most (p fc_1 — 1) / (p k — 1) < 2/p. Taking 
a union bound, we conclude that the probability that ker (A) fl iir^T^) ^ 0 for 
some ^ is at most 2m/ p, which is negligible. □ 

Putting all this together, we can prove our main theorem: 
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Theorem 6.5. Let G be a bilinear group of prime order p with pairing e: G X 
G — > Gt ■ Let B be the rank-k G-module G k , let Bt = (Gr) m for some positive 
integer m, and let E: B x B — > Bt be a nondegenerate pairing defined as in 
0- If Bi is a uniformly random rank-(k — 1) submodule of B and E is a can- 
celling pairing that is independent of the decomposition B = B i x B 2 , then with 
overwhelming probability the pairing E cannot be projecting ( with respect to the 
same decomposition B = B 1 xB 2 ). 

Proof. By Proposition lfi.4l we know that if E is cancelling, then E(B,B) has 
order p with overwhelming probability. This means that E(B,B ) is cyclic and 
any nonzero element is a generator. 

Suppose E is projecting and choose some x G B\. Since E is nondegenerate, 
there is some y G B such that E(x, y) ^ 1. Now the projecting property implies 
that 7 Tr{E{x,y)) = E(n(x),ir(y)) = E(l,n(y)) = 1. Since E(x,y) generates 
E(B,B), we conclude that itt(E(B,B)) = {1}. 

On the other hand, now choose some x' G B 2 . Then there is some y' G 
B such that E(x',y') ^ 1. Furthermore, the cancelling property implies that 
without loss of generality we can assume y ’ G B 2 . The projecting property now 
implies that ttt(E(x', y')) = E(Tr(x'),ir(y')) = E(x', y') ^ 1, so we conclude that 
ttt(E(B, B)) = E(B, B), contradicting our conclusion above. □ 

7 Conclusions and Open Problems 

In this paper we have shown that there are limitations on transformations of 
pairing-based cryptosystems from composite- to prime-order groups. In partic- 
ular, we have given evidence that two properties of composite-order pairings 
identified by Freeman — cancelling and projecting — cannot be simultaneously 
obtained in prime-order groups. 

Specifically, we have shown that a pairing defined in a natural way with sub- 
group hiding provided by the Decision Linear assumption can be both cancelling 
and projecting with only negligible probability. As evidence that both properties 
are sometimes called for simultaneously, we have presented a natural crypto- 
graphic scheme whose proof of security calls for a pairing that is both cancelling 
and projecting. This scheme is a practical round-optimal blind (and partially 
blind) signature secure in the common reference string model, under mild as- 
sumptions and without random oracles. 

Many open questions remain. First, we would like either to generalize our 
result so it applies to a wider class of pairings constructed from prime order 
groups (possibly including asymmetric pairings), or instead to show that no such 
generalization is possible by exhibiting a pairing in prime-order groups that is 
simultaneously projecting and cancelling. Second, we have given evidence that 
our specific proof strategy for our blind signature scheme is unlikely to generalize 
to prime-order groups, but have not settled the question of whether our scheme 
when instantiated in prime-order groups is in fact provably secure (by means of a 
different, ad-hoc proof) or insecure (i.e., actually susceptible to attack). Finally, 
it is interesting to consider whether a more general procedure (not relying on 
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Freeman’s properties) can be used to transform every composite-order scheme to 
a prime-order one, or whether some schemes provably cannot be so transformed. 
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Abstract. In pairing-based cryptography the Generic Group Model (GGM) is 
used frequently to provide evidence towards newly introduced hardness assump- 
tions. Unfortunately, the GGM does not reflect many known properties of bilinear 
group settings and thus hardness results in this model are of limited significance. 
This paper proposes a novel computational model for pairing-based cryptogra- 
phy, called the Semi-Generic Group Model (SGGM), that is closer to the standard 
model and allows to make more meaningful security guarantees. In fact, the best 
algorithms currently known for solving pairing-based problems are semi-generic 
in nature. We demonstrate the usefulness of our new model by applying it to study 
several important assumptions (BDDH, Co-DH). Furthermore, we develop mas- 
ter theorems facilitating an easy analysis of other (future) assumptions. These 
master theorems imply that (unless there are better algorithms than the semi- 
generic ones) great parts of the zoo of novel assumptions over bilinear groups 
are reducible to just two (more or less) standard assumptions over finite fields. 
Finally, we examine the appropriateness of the SGGM as a tool for analyzing the 
security of practical cryptosystems without random oracles by applying it to the 
BLS signature scheme. 

Keywords: Restricted models of computation, generic groups, semi-generic group 
model, cryptographic assumptions, master theorems, provable security, pairing- 
based cryptography. 


1 Introduction 

Assuming that certain computational problems, mostly from algebra, number theory, 
and coding theory, are intractable builds the foundation of public-key cryptography. 
However, proving the validity of these assumptions in the standard model of computa- 
tion seems to be impossible with currently available techniques. 

Why do we believe in such hardness assumptions, though they are not provable in 
general? For classic number-theoretic problems, such as integer factorization (IF) or 
the discrete logarithm (DL) problem, this is certainly due to the absence of efficient 

* This is an extended abstract, see II2H1 for the full version. This research has been supported by 
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algorithms in spite of intensive long-term research by many brilliant people. However, 
besides such well-known assumptions, there frequently appear new assumptions build- 
ing the basis for novel cryptosystems with original properties. What can be done to 
provide evidence for these assumptions apart from trying to find efficient algorithms 
over decades? Clearly, we should try to underpin the belief in novel assumptions by 
searching for reductions to a more mature assumption; but unfortunately finding such a 
reduction often fails. 

An important approach to (nevertheless) gain immediate evidence towards hardness 
assumptions is to prove them with respect to a restricted but still meaningful class of 
algorithms. This is the motivation behind the invention of black-box models for alge- 
braic structures like groups, fields, and rings, where algorithms are limited to perform 
only operations “commonly” available over these structures. Probably, the most famous 
of these models is the generic group model ( GGM) introduced by Shoup in his semi- 
nal paper Ell from 1997, and refined by Maurer in ESI . In this model one considers 
algorithms - so-called generic group algorithms - that, given a group G as black-box, 
may only perform a set of basic operations on the elements of G such as applying the 
group law, inversion of group elements and equality testing. Since the group is treated 
as a black-box, the algorithms cannot exploit any special properties of a concrete group 
representation. As a consequence, such algorithms are generic in the sense that they can 
be applied to any concrete instantiation of a group (e.g., Z* or E( F p )) in order so solve 
a problem. Natural examples of this class of algorithms are the Pohlig-Hellman ERl 
and Pollard’s Rho E3 algorithm for computing discrete logarithms. 

It should be noted that one has to take care when interpreting results in the GGM 
like intractability results as evidence in practice, since this model abstracts away from 
potentially many properties an algorithm might be able to exploit in the real world 0. 
On the one hand, there exist cryptographic groups (such as certain elliptic curve groups) 
for which not many properties beyond the axioms of an algebraic group are known. 
Hence, modeling such groups as generic can be seen as a reasonable abstraction. On 
the other hand, there are groups, also used in cryptography, featuring many further 
properties, which clearly makes the generic model an inappropriate reflection for them. 
A prime example are multiplicative groups of finite fields or rings. These structures offer 
many well-understood properties beyond the group axioms, such as additional efficient 
algebraic operations (e.g., addition in the field or ring), and other properties of the group 
representation (e.g., the notion of prime integers and irreducible polynomials), that are 
simply ignored by the generic group model, but give rise to more efficient algorithms for 
certain problems (e.g., index calculus algorithms for computing discrete logarithms). 

But should a minimal requirement on such an idealized model of computation not 
be that at least all currently known algorithms are captured? There exist some first 
approaches in the cryptographic literature to tackle this issue: The pseudo-free group 
model proposed by Hohenberger ED and Rivest E2l does not treat a group as a black- 
box. Unfortunately, the definition of pseudo-freeness is very restrictive in the sense 
that a number of important groups (like all known-order groups) are immediately ex- 
cluded and important problems, such as Diffie-Hellman-type problems, seem not to 
be covered. Other approaches due to Leander and Rupp G2l and Aggarwal and Mau- 
rer m take into account that the RSA group Z* is embedded in the ring Z n . They use 
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a generic ring model, where algorithms may perform both multiplication and addition 
operations on Z n to show that breaking RSA is equivalent to factoring. Unfortunately, 
recent work m\ shows that even computing the Jacobi symbol is equivalent to factoring 
in this model. So this approach has not led to a satisfying abstraction of Z* yet. 

Over the last decade a considerable number of innovative cryptosystems, such as 
identity-based encryption 0 or short digital signatures with strong security 101 1 011 . 
have been proposed over bilinear groups. A bilinear group setting consists of groups 
Gi, G2, and G3, with a bilinear map e : Gi x G2 — > G3, called a pairing. Along 
with these cryptosystems also many new assumptions have been introduced, e.g., Bilin- 
ear Diffie-Hellman (BDH) [23 24|, (/-Strong Diffie-Hellman [4 1 41221 . Decision Linear 
Diffie-Hellman (DLIN) @, Co-Diffie-Hellman (Co-DH) 19 ISI . and many more. Unfor- 
tunately, for virtually all of them no reduction to a well-analyzed assumption like DL is 
known. In fact, finding such reductions seems to be a difficult task, since the algebraic 
settings underlying classic problems (e.g., a single cyclic group for DL) significantly 
differ from bilinear settings. Hence, given an instance of a classic problem, it appears 
to be hard to transform this instance to one of the bilinear problem in order to leverage 
an algorithm for the latter. 

Consequently, the only way to provide some immediate evidence for such novel as- 
sumptions consists in proofs in restricted models of computation. So far, the only such 
model for bilinear settings is a straightforward extension of the generic group model, 
where all three groups Gi, G2, and G3 are modeled as generic groups E3DE21- In all 
known instances of bilinear settings the groups Gi and G2 are elliptic curve groups, thus 
modeling these groups as generic may be considered as a reasonable abstraction. How- 
ever, in contrast to that, the group G3 is usually a subgroup of the multiplicative group of 
a finite field. So there definitely exist non-generic algorithms for cryptographic problems 
like BDH, Co-DH, etc. featuring a running time which is at most sub-exponential: these 
sub-exponential algorithms map the inputs over Gi and G2 (given as part of a problem 
instance) to G3 using the bilinear mapping (MOV reduction B 9 i f and determine the dis- 
crete logarithms of these elements over G3 using index calculus. Knowledge of these 
discrete logarithms allows to compute the solution to the problem instance using a few 
exponentiations. Note that there might be even more efficient algorithms especially for 
potentially easier problems like decisional or gap problems. Hence, modeling bilinear 
settings in this way is clearly inappropriate. 

Our Contribution. We propose the Semi-Generic Group Model (SGGM) which 
leverages this observation as follows: The elliptic curve groups Gi and G2 are modeled 
as generic groups, while G3 is given in the standard model, i.e., algorithms may perform 
any computation over G3 that is possible in the subgroup of a finite field. The SGGM 
is thus closer to the standard model than the GGM and can provide stronger evidence 
towards hardness assumptions in pairing-based cryptography. In fact, to the best of 
our knowledge all algorithms currently known for solving pairing-based problems are 
semi-generic in nature. In particular, the sub-exponential algorithms applying a MOV 
reduction described above are covered by the SGGM. 

We analyzed some of the most important computational and decisional assumptions 
of pairing-based cryptography in our new model. In this extended abstract we restrict 
to consider Co-DH and decisional BDH. The full version of the paper EDI covers 
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additional problems, including (/-strong DH and DLIN. We are able to reduce the con- 
sidered assumptions (with respect to semi-generic algorithms) to fairly standard as- 
sumptions over finite fields like Square DH and a slight variation of DL. That means, 
the bilinear assumptions are at least as hard as certain more standard assumption over 
G3 provided that there are no non-semi-generic algorithms. Furthermore, we developed 
master theorems ensuring the hardness of broad classes of computational and decisional 
problems in the SGGM. Studying such generalizations is not only important in order to 
structure and facilitate the analysis of the rapidly growing set of cryptographic assump- 
tions as motivated in 0, but improves our understanding of the properties which need 
to be satisfied by a problem to be intractable. Results like II12I33I11I are in this vein. 
Boyen m (see also Q) developed master theorems for the hardness of some general 
classes of decisional problems in the generic group model for bilinear settings. Rupp et 
al. iTHl provide hardness conditions for even broader classes of computational problems 
and algebraic settings, but still in the GGM. Bresson et al. ltT21 study a general class 
of decisional assumptions over a single group in the standard model and show that this 
class can be reduced to DDH (under certain restrictions). In the scope of the proof of 
our master theorem for decisional problems we enhance Bresson et al.’s results for the 
standard model and apply them to the SGGM. 

The security of public-key cryptosystems, especially of practical cryptosystems, can 
often only be proven in an idealized model, such as the random oracle model (ROM) Q. 
An issue with the ROM is that it idealizes a hash function in a way such that it has 
all properties of a “perfect” hash function (collision resistance, (second) preimage re- 
sistance, random output, ...) at the same time. When the cryptosystem (and thus the 
random oracle) is implemented in practice, one has to choose an adequate hash func- 
tion instantiating the random oracle. An important question is whether providing all 
properties of the random oracle at the same time is really necessary to provide security. 

We examine the useability of the SGGM as a tool complementing the ROM. We are 
able to prove the security of the Boneh-Lynn-Shacham (BLS) short signature scheme 
11911011 against semi-generic adversaries without random oracles, however, requiring 
non-standard properties for the employed hash function. It is left as an interesting open 
problem to study whether these requirements can actually be satisfied by a reasonably 
efficient practical hash function. 

2 The Semi-Generic Group Model 

Let Gi, G2, and G3 be groups of prime order p and <ji e Gi, g-i G G2 be corre- 
sponding generators. For the sake of simplicity of the subsequent formalizations we use 
multiplicative notation for all groups. 

Definition 1. A pairing is a map e : Gi x G2 — > G3 with the following properties: 

1. Bilinearity: V(o, 6) € Gi X G2 and xi,x% 6 Z p holds that e(a xi ,b X2 ) = e(a,b) xlX2 . 

2. Non-degeneracy: <73 := e(gi,g2) is a generator of G3, i.e., g-j f 1. 

3. e is efficiently computable. 
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Following 4771/ . we distinguish three different types of bilinear group settings: 

- Type 1 : Gi = G2. We will call this the setting with symmetric bilinear map. 

- Type 2 : Gi G2, there is an efficiently computable isomorphism if : Gi — ► G2. 

- Type 3: Gi G 2 , there is no efficiently computable isomorphism if : Gi — ► G 2 . 

Formal Definition of the SGGM. We base our formal description of the SGGM 
for bilinear settings on the generic group model introduced by Maurer ESI . though our 
proofs can be adapted to Shoup’s GGM 01 as well. The main difference between Mau- 
rer’s and Shoup’s formalization is that in the first model group elements are encoded 
deterministically whereas in the second model encodings are random. 

An algorithm A in the SGGM interacts with a semi-generic group oracle O, which 
computes the group operations and evaluates the pairing and isomorphism on behalf of 
A. O receives as input two vectors of group elements (the problem instance) 

I\ = (ui,i, • . ■ , di,^) G G^ 1 and 1 2 = (d2,i) • • • • d2,fc 2 ) G G2 2 • 

It maintains two lists £\ C Gi and £2 C G2, with £ t ] denoting the j-th entry of 
list £i , which are initialized such that £,.j := dij for all possible We denote 
with [a]i the smallest index j (also called encoding) such that £ij = a. Index [a] is 
undefined, if a 0 £ t . We may always assume that semi-generic algorithms only provide 
defined indices as input to the oracle. During initialization of the lists £\ and £2, the 
corresponding indices pointing to the contained elements are sent to the algorithm. 

The oracle implements the following public procedures, which may be called by A: 

- GroupQp([a],;, [b] t , T): This procedure takes as input two indices [a]*, [b] and a list 
index i. It determines the group elements a,b G G» by list lookup, computes c = 
a ■ b G Gj, appends c to £ t , and returns [c],. 

- BilinearMap([a]i, [6)2): This procedure takes as input two indices [o]i, [6] 2. It 
determines the corresponding group elements a G Gi, b G G2 by list lookup and 
returns e(a, b) in the standard representation of G3 (i.e., as finite field element). 

When considering Type 2 settings the algorithm may also query to apply the isomor- 
phism ip to an element of Gi : 

- Isomorphism([a]i): This procedure takes as input an index [a]i, determines the 
element a G Gi, computes b = ip (a), appends b to £2 and returns [b] 2 . 

Note that a random group element can be efficiently sampled by a semi-generic algo- 
rithm by using GroupOp(-) to raise the generator (which is always part of a problem 
instance) to some r <— h p . 

2.1 Essential Ingredients for Proofs in the SGGM 

This section describes a few general observations that will turn out to be the essential 
ingredients for proofs in the semi-generic model. 

Observation 1: Components inside oracle are exchangeable. Semi-generic algo- 
rithms due to its nature are “blind” with respect to the internal details of the groups 
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Gi and G - 2 as well as the pairing e and the isomorphism ip. These components are hid- 
den within a black-box. Hence, we can plug-in “something else” for these components 
as long as these replacements behave like cyclic groups with a bilinear map and an 
isomorphism. We will utilize this observation in a novel way to map inputs given over 
G3 back to Gi and G2 by setting Gi := G2 := G3 internally and simulating a virtual 
bilinear map e : G3 x G3 — > G3 and isomorphism ip : G3 — ► G3. 

Observation 2 : Computed elements over Gi and G2 are linear polynomials in ini- 
tial inputs. Let I\ G G\ n and I2 € G 2 be inputs given to the semi-generic oracle (as 
part of a problem instance). We have I2 = I\ in the case of a Type 1 setting. In the 
following, we always assume that at least the generators 31 and 32 are given (as the 
first components of these input tuples). So we can write I\ = (31 , gf 2 , . . . , 3i m ) and 
I2 = (32 , 3-f 2 > ■ • ■ ; 3l ” ) f° r some unknown Xj,yk € Z p (no assumptions about their 
distribution are made here) and ip(gi) = 32 in the case of a Type 2 setting. Then we 
define the tuple I[ := I\ and the tuple I 2 := 1 % in the case of a Type 1 and Type 3 
setting or I 2 := (32, g 2 2 , . . . , g 2 m , g 2 2 , . . . , g 2 n ) for a Type 2 setting. These tuples are 
called the initial inputs to semi-generic algorithms. Using this notation, we can describe 
the following observation: Over Gi and G2 a semi-generic algorithm can only perform 
the group law on the initial inputs. Thus, any element a £ Gj (i £ ( 1 , 2 }) computed 
by a semi-generic algorithm is a product of the elements in I[. Hence we can represent 
such an element as a = g^ X2 ’---’ XmtV2 ’---’ y ' i ' ) for some linear multivariate polynomial 
P = a 1 + YIJL2 a jXj + J 2 j = 2 where the / 3 j are zero in the case i = 1 or 
if we consider a Type 1 setting. It is important to observe that all coefficients of this 
polynomial are known to the oracle. 

Observation 3 : Pairing is simulatable knowing images of initial inputs. Let a G Gi 

and 6 G G2 be two elements computed by a semi-generic algorithm. Then by using the 
above observation and setting a;i := 1 it is easy to see that 

e{a, b ) = e(3r , 3 2 ) 

= fi n e (s? ■ n n e^*,^ y*#* 

i~i j —1 i=lk =2 

From this equation it follows that by knowing the images of the initial inputs under the 
pairing, one can compute the output ofe on arbitrary inputs provided by a semi-generic 
algorithm without actually evaluating the pairing explicitly. In other words, an oracle 
equipped with a table containing e(a, b) for all combinations of a in I[ and b in I 2 
would be able to handle all BilinearMap queries. 

3 Analysis of Selected Problems in the Semi-Generic Model 

In this section we exemplarily analyze the hardness of the computational Co-DH and 
the decisional BDH problem. Certainly, the list of problems we are considering here is 
by no means complete. Our main purpose is to give concrete analyses of some important 
problems of bilinear cryptography, thereby illustrating the basic ideas and techniques 
underlying proofs in this model, before dealing with the more intricate case of general 
classes of problems in Section |U 
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3.1 Reducing 2 -DL to Co-DH 

The Co-DH problem has been used in lIQI&l for the construction of short and aggregate 
signatures over bilinear groups. Over a Type 2 setting it can be defined as follows: Given 
(9i:9i°:92, gf 1 , 53), where (xo, xi) 4 - Z^ are secret random choices, output gf 0X1 ■ 

It is easy to see that in order to prove something about the hardness of Co-DH, we 
definitely need to make the assumption that the discrete logarithm problem over G3 is 
intractable. But is this enough? Our answer is “not quite”: We are going to relate the 
hardness of Co-DH to the 2 -DL problem over G3, a slightly easier variant of DL. The 
g-DL problem can be defined as follows: Given (53, gf , . . . , gf ), where x 4 - Z p is a 
secret random value, output x. The additional input gf (in comparison to standard DL) 
is needed in order to be able to simulate the pairing when running the Co-DH algorithm. 

Theorem 1 . Suppose there exists a semi-generic group algorithm A solving Co-DH 
over a Type 2 bilinear group setting in time t with success probability e. Then there 
exists an algorithm B solving the 2 -DL problem over G3 in time t’ w t with success 
probability e' > |e. 

Proof. Given an instance of the 2 -DL problem, B sets up an instance of the Co-DH 
problem in the semi-generic model in a way that it can leverage a solution to Co-DH 
computed by A to solve the 2 -DL instance. In particular, B will play the role of the 
semi-generic oracle. We exploit Observation 1 from Section ITT! to setup such an useful 
instance: Since A is “blind” with respect to the internal details of Gi, G2, e, and if), we 
set Gi := G2 := G3 and try to simulate a virtual bilinear map e : G3 x G3 — > G3. 

We are now ready to describe our reduction algorithm B. B takes as input an instance 
a 0 := g3, Oi := gf , 0,3 := gf of the 2 -DL problem over G3. Then it chooses i* 4 - 
{ 0 , 1 }, xi_i» 4 - Z p and sets 0.2 := gf 1_i * ■ The wanted discrete logarithm x is now 
embedded as the implicit secret choice x»* in an instance of the Co-DH problem. More 
precisely, B sets up a problem instance and simulates the oracle O as follows: 

- The lists £\ and £2 are initialized with gs . gf 0 and g3, gf 1 , respectively, where gf 4 ’ 
is set to be ai. The indices [gs]i. [gf°]i, [g3]2, [gf ^2, and g 3 are sent out to A. 

- GroupOp can be simulated since B knows how to perform the group law over G3. 

- Isomorphism([a]i) can be simulated by looking up a in £\ , appending it to £2, 
and then determining the index [a] 2. 

- Using Observation 3 from Section I 2 TT 1 we can easily see that BilinearMap can be 
simulated: Let [6] 1, [c]2 be the two indices given as input to the procedure by A. 
Then we can write 

r . Vi /. 01 

e(b,c) = e(g3 i — 13X \gf Jk — lZkXk )= 

i=- 1 fc=- 1 

where x_i := 1 and z :] and z' k are known to B. Since B is given ao, ■ ■ ■ , and 
knows i*,x i_<» , it can compute the required elements 93, gf 0 , gf 1 , gf 0 , gf 0 ” 1 to 
simulate the pairing: g 3 = ao, gf 4 * = ai, gf 1_< * = a2, gf° = 03 if i* = 0 and 
gf° = af° else, gf° Xl = ai 1- ’* . 
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Given some instance of Co-DH, algorithm A eventually outputs some valid index [c] 2 . 
The corresponding element c e G2 can be written as c = g^ Xo,Xl ^ for some known 
polynomial P = zq + Z\X 0 + Z2X1 6 Z p [X 0 ,Xi] (Observation 2 , Section ITU . So 
alternatively we can say that A wins if (P — XqX- 1 )(xo, xi) = 0 mod p. This success 
event can be split up into the following disjoint events: 

- Event <Si: The univariate polynomial (P — XoXi)(xo), i.e., the polynomial P — 
XqXi where we only evaluate the variable Xq with xq, is zero modulo p. Let the 
probability of this event be denoted by ai . 

- Event S-2- The univariate polynomial (P — XoXi'jixo) is not zero modulo p but 
(P — XoXi)(xo,xi) is. Let the probability of this event be denoted by a-2- 

Clearly, we have e = ai + a%- 

Let us consider the events <Si and S2 when B runs A for certain choices of i*. Note 
that B knows the coefficients of P since it responded to .A’s queries. With probability 
\ol\, we have r = 0 and Si. This means zq + z\x + Z2X1 — xX% m 0 . But in this 
case Z2 needs to be equal to x. So B wins by simply returning the known coefficient z-2. 
Furthermore, with probability \a.2, we have i* = 1 and S2. Hence, the wanted DL is 
the root of the uni-variate non-zero polynomial zo + z\Xq + Z2X1 — xoXi known to B. 
It can thus be determined as x = (zo + ZiXq)(xq — zq)^ 1 mod p. It is easy to verify 
that the inverse ( xq — ^2) _1 always exists. 

To summarize, if i* happens to be zero, B outputs 22, otherwise it outputs (zq + 
ziXo)(xo — Z2)- 1 . In this way, its success probability is at least + ^0:2 = \e. □ 

3.2 Reducing SqDDHtoBDDH 

The bilinear decisional Diffie-Hellman problem (BDDH) is certainly among the most 
well-known problems over bilinear groups. It has originally been introduced in a sem- 
inal paper by Joux G 3 and, e.g., further been used by Boneh and Franklin m to con- 
struct an identity based encryption scheme. Let us consider BDDH over a Type 1 setting 
where it can be defined as follows: Given (<71, ^f 1 , g* 2 , <?i 3 , g^ b ), where {x \ , X2, a-'.s) 

Zp, b <— { 0 , 1 }, n = X1X2X3, and ro Z p are secret choices, output b. 

We relate the hardness of BDDH with respect to semi-generic algorithms to the hard- 
ness of the well-known decisional Diffie-Hellman (DDH) problem and the square deci- 
sional Diffie-Hellman (SqDDH) problem over G3. SqDDH is a potentially easier variant 
of DDH: Given (53, sf, g 7 ^), where x <— Z p , b <— { 0 , 1 }, n = x 2 , and ro <— Z p are 
secret choices, output b. Our result is formalized in Theorem [21 It is worth mentioning 
that in contrast to computational problems (like Co-DH) for decisional problems usu- 
ally multiple reduction steps are required. In the proof we apply the idea of DDH-steps 
fT2l to the bilinear setting and introduce the new concept of SqDDH-steps. Since the 
DDH assumption reduces to the SqDDH assumption iFTRi the hardness of BDDH can 
be formulated with respect to SqDDH only (Corollary QJ. 

Theorem 2 . Suppose there exists a semi-generic group algorithm A solving BDDH 
over a Type 1 setting in time t with advantage e. Then there exists an algorithm SsqDDH 
solving SqDDH over G3 in time f SqDDH ~ t with advantage esqDDH and an algorithm 
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Table 1. Transforming a semi-generic oracle for real BDDH into one for random BDDH using 
SqDDH and DDH steps 


G5 Ge Gr G s 


9 3 

e(si,Si) 

e(9i,9p) 

e(gi,gi 2 ) 

e(gi,gi 3 ) 

e (ffi 1 j 9i 2 ) 
e (ffi 1 j 9 i 3 ) 

e(gi 2 ,9l 3 ) 


a 3 9 3 93 


SqDDH SqDDH SqDDH DDH DDH DDH SqDDH SqDDH SqDDH 


£>ddh solving DDH over G3 in time £ddh ~ t with advantage cddh such that e < 
3CDDH + 6eSqDDH- 

Corollary 1. If SqDDH is (e, t)-hard over G3, then BDDH is ( 9 e, t) -hard for semi- 
generic algorithms. 

Proof (Theorem 0). In the following we show that a for a semi-generic algorithm a 
“real” BDDH tuple (gi, g* 1 , g* 2 , g* 3 , = g% 1X2X3 ) is computationally indistinguish- 
able from a “random” tuple (g \ , gj 1 , gf 2 . gf 3 . g r 3 ° ) , unless SqDDH or DDH are easy 
over G3. We do this by considering a series of games played between a semi-generic 
algorithm A and an oracle O. We start with A given oracle access to a real BDDH tuple. 
We then gradually transform this tuple as well as the output of the oracle until we end 
up with a random tuple. One can show that if A can distinguish two consecutive games 
Gi - 1 and G,; then it can be used to build an algorithm solving SqDDH or DDH. 

The games are described by Table Q] Each of the columns labeled with Gi specifies 
the (direct) input over G3 (see Row 1) or the output of BilinearMap in game G,; for 
all possible inputs over Gi . Bold-printed parts of a value highlight the actual changes 
in comparison to the previous game. The entry in the last row of a column Gi indicates 
which assumption (SqDDH or DDH) justifies the indistinguishability of the Games 
Gj_i and G\;. If a new x :] (j > 3) appears in a column, this means that this value has 
been added to the corresponding game and the oracle chooses Xj uniformly from Z p . 

As one can see from the table, by means of the Games Gi to G4 we remove all 
squares xj (1 < i < 3) from the output of the pairing oracle. We do this simply 
by replacing each square with a new value xj (4 < j < 6). These transformations 
are called (bilinear) SqDDH steps and are prerequisites for the subsequent DDH steps 
performed in Games G$ to G§. During these DDH steps we selectively remove all 
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products XiXj that involve variables being part of the challenge. Again, this is done by 
replacing the products by fresh uniformly chosen values Xj (j G { 7 , 8}). In Game Gg 
the challenge g 3 b = g% 8 is finally independent of the input since Xg does not appear 
anywhere else. After that, in Games G-j to Gio we reverse the changes we did to the 
input and BilinearMap during Gi to Ge in reverse order. More, precisely in Gg+j we 
reverse the changes we did in Ge-j for 1 < 3 < 4 . Finally, in Gio we have reversed 
all changes (except for the one in G§). This last game corresponds to the situation 
where A is given oracle access to a random BDDH tuple. If all intermediate games have 
been computationally indistinguishable (under the SqDDH and DDH assumption) then 
certainly also a real BDDH tuple is computationally indistinguishable from a random 
tuple, with respect to semi-generic algorithms. 

For the sake of clarity, let us consider the transition from G\ to Gi (SqDDH Step) 
and G4 to G 5 (DDH Step) in some more detail and quantify the involved reductions. 
The oracle Oq, in Game Gi corresponds to the original semi-generic oracle for BDDH 
providing access to a real BDDH tuple. The oracle in Oq 2 in G2 is equal to Oc 1 except 
for the following changes: Og 2 additionally chooses X4 A Z p and uses a slightly 
modified table for computing pairing outputs as specified in Table Q] Let us assume A 
distinguishes the two games in time t with advantage 


d = Adv^ 1,c?2 = |Pr[I <— A° Gl } - Pr[l <— A° G2 ] \ . 


Then from A we can build an algorithm B for SqDDH. Again, we make use of the 
observation that semi-generic algorithms are blind with respect to Gi and e and set 
Gi := G3 and e : G3 x G3 -» G3. Now let an instance 



of the SqDDH problem over G3 be given. B chooses X2, £3 A Z p . Then it simulates 
Oc , and Oq 2 as follows (we indicate below how group elements are computed though 
xi, xf, X4, and b' are unknown to By. 

- The list Si is initialized with <73 , 93 1 , c/3 2 , g ^ 3 . Over G3 A is given <73 , (93 1 ) X2X3 . 

- For simulating BilinearMap, we use the fact that we only need to know the pairing 
output for all possible initial inputs. These elements can be computed as described 
by the following table: 


a Ig3 g3 g3 ff.3 gt 1 gT gl 3 gt 1 



b .93 g-i 1 g-i 2 gT gT a¥ at 3 a? 


e(a,b) 93 g f 1 g% 2 g% 3 g 3 b g 3 2 g 3 3 (fff 1 ) 312 {g^ 1 )* 3 g f 2 * 3 


It is easy to see that if b' = 1 , algorithm B exactly simulates Oc, and Oq 2 otherwise. 
Thus, by simply forwarding the output of A, B solves the SqDDH problem instance 
with the same advantage ei. 

Let us now consider the transition from G4 to G5. The oracle Oq 5 in G5 coincides 
with Oq 4 except for the following changes: Og 5 additionally chooses X7 A 7 L V and 
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uses a modified table for computing pairing outputs as specified in Table Q] Assume A 
distinguishes the two games in time t with advantage £4 = Adv^ 4 ’ Gs . Then we can use 
A to build an algorithm B for DDH. Given an instance 

53) fl^ 1 ! 53 2 ; 9 $ = 

of DDH over G3, B chooses X3 , X4 , X5 , £'e and simulates Oq 5 and Og 6 - 

- The list Si is initialized with 53 , g} 1 , 5a' 2 , 5,3 3 • Over G3 A is given <73, (g :i h ') X:i ■ 

- For simulating BilinearMap we use the following table of pairing outputs: 


a 

53 53 53 53 5,3 1 5,3 2 5,3 3 5,3 1 53 1 9? 

b 

53 53 1 53 2 53 3 53 1 53 2 53 3 53 2 53 3 53 3 

e(a, b) 

53 53 1 53 2 ( jT 53 4 53 5 53 6 9'i' { 9 TY 3 (53 2 ) X3 


If b' = 1, B behaves like Oq 4 whereas it behaves like Oq b if b' = 0. By simply 
forwarding the output of A, B solves the DDH problem instance with advantage £ 4 . 

The bound on e follows now from e < Yh-i where e t = Adv^ i,G * +1 , and setting 
eSqDDH = max ie{li2 ,3,7,8,9}(G), cddh = max^^g}^). □ 



4 Analysis of General Problem Classes 

Analyzing general problem classes instead of individual problems is important for at 
least two reasons: First, it improves our understanding of the properties that need to be 
satisfied by a problem to be intractable with respect to semi-generic algorithms. Second, 
master theorems for these classes alleviate the burden of analyzing future problems. 

Generalized Pairing-Based Problems. Let a Type 1, 2, or 3 setting according to 
Definition [!] be given. Furthermore, let t G N, d 6 {1,2,3} be positive integers, 
Ii, I2, 13 C Z p [Xi, . . . , Xf] be finite sets of (publicly known) polynomials (called 
input polynomials) and Q G Z p [Xi, . . . , Xp] be a single (publicly known) polynomial 
(called challenge polynomial). Then we define a (Ii, I 2 , Is- Qj-BDH/rjj problem as: 
Given 

((5f <X) )iteii> (5? (x) )flei 2 ) (5f (x) )itei s )> 

where x -h- are secret random values, output A decisional variant of such 

problems can be defined analogously. In the following we always assume that the poly- 
nomial 1 is contained in each Ii which corresponds to the natural assumption that for 
each group a generator is given. 

Informally speaking, a (Ii, I 2 , la- Q)-BDHG rf problem is non-trivial if there is no 
way to compute Q using only the input polynomials and the operations on them which 
are implicitly given by the underlying bilinear setting. Let us restrict here to consider 
the case d G {1, 2}. Let Ii = {i?i, . . . , R t } and I 2 = {Si, . . . , S t /}. Then using 
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Observation 2 (Section l 2 TTI) . one can see that the output [c]<* of a semi-generic algorithm 
for the considered problem can be written as g 4** for some P of the form 



{ 


d= 1 


Y?j=i z jSji d = 2 and Type 3 setting ( 1 ) 

. £$= i z i R j + Sj=i z j S j > d = 2 and Type 2 setting 


We call a (Ii,I 2 , I3, Q)-BDHg ;/ non-trivial if there is no P of the above form such that 
c,J (x) = ^ (x) far all x G Z£, i.e., if P ^ Q 6 Z p [Xi, . . . , JQ], More formal and 
general definitions can be found in the full version of this paper GDI- 

Reductions for Generalized Problems. Theorem 01 extends the reduction we have 
seen for Co-DH in SectionQj]to the more general class of (Ii , I 2 , 13 , Q)-BDHc d prob- 
lems. The crucial difference and novelty lies in the technique for extracting the wanted 
discrete logarithm given the output of the semi-generic algorithm. 

Theorem 3 . Let d G { 1 , 2 } and (Ii, I 2 , 13, Q)-BDHiG rf be a non-trivial problem with 
challenge and input polynomials in Z p [X-i . . . . , Xf. Let k = maxj(deg x . (Ii U I 2 U 
I3)). Suppose there is a semi-generic algorithm A solving (I1.I2.I3. Q)-BDH& d in 
time t with success probability e. Then there is an algorithm B solving 2 /.--DL in G3 in 
time t' ~t + 0{k ' logp), where k! = inaxffc. deg(Q)), with probability e’ > |. 

Proof. Let k\ = 2 k. B takes as input a fc] -DL challenge «o = 5.3. 0-1 = sf 1 , . . . , ak ± = 
g% 1 . It then chooses i* <— { 1 , ■■■,£} and x\, . . . , Xi*- 1, Xi*+ 1, . . . , xn <— Z p . The 
unknown x is treated as the secret choice a ;»* in the context of a (Ii, I 2 ,I 3 , Q)-BDH(G d 
instance. We only sketch important points in the simulation of the semi-generic oracle: 
Each internal list £j is initialized with the elements (g3^)reij where for a polynomial 
P = Y^ e =(ei e e )&E • • ■ Xf* , E c z£, the element g£^ can be computed 

as g^ x> = Y[ e X ‘ using the given instance of the p -DL problem. This is 

possible because the degree in Xi* of the polynomials in each set Ij is upper bounded 
by k-\ . Similarly, the table for simulating BilinearMap can be created since for each 
entry g^^ 1 in this table, P is again of degree at most k\ in Xj, . 

Given an (Ii, I 2 , 13, Q)-BDH(K d instance, A eventually outputs an index [c]<j. Then 
c can be written as g^^ for some known polynomial P as described in Equation Q] 
Thus, A wins if Q(x) = P(x) mod p. Since Z := Q — P is not zero modulo p (the 
problem is non-trivial) this success event can be split into disjoint events <Si, . . . , Sg, 
where Sj is defined as: 

Z(X 1 = = xj- 1) ^ 0 and =x 1 ,...,X j = Xj ) m 0 ( 2 ) 

Denoting the probability of event Sj by ctj we obtain e = Qi H + at . 

Now assume that event Si* occurs, which happens with probability e/t. Consider 
the polynomial Zj* = Z(X 1 = xi,..., Xi *- 1 = 1) mod p G Z p [Xj» , . . . , X(\. 

This polynomial is of the form Z j: . = Yl e =(e * e t )eE beXp* ■ ■ ■ Xp, for some E C 
Z p _I +1 , where in at least one monomial the variable Xi* appears with a non-zero 
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exponent e»» . Let M = b\,Xp' ■ ■ ■ Xp be one of these monomials. Then consider 
the polynomial Z[, we obtain by summing up all monomials of Z$* containing the 
submonomial Xp*pp ■ ■ ■ Xp : 

z\, = jZ b ? x t r x i** ■ ■ ■ x t 

e=(e*»,...,e^)6 E 

Clearly, we have Z-, ^ 0 mod p and since Z*. (X, : . = Xi * ) =0 mod p it also holds 
that Z-» ( Xi » = xip = 0 mod p. Hence, » = x is a root of the non-zero uni- variate 
polynomial 

Z'L = V b e Xp’ 

ms(e { * ,...,e e )£E 

Note that Algorithm B can easily construct the polynomial Z", by picking an arbi- 
trary monomial from Z,;. for which X t * appears with non-zero exponent. The co- 
efficients b e can also be easily computed since the coefficients of Z are known and 
x \, . . . , Xi*-\ have been chosen by B. So by applying an efficient standard algorithm 
for computing roots of polynomials over Z p , such as EE Algorithm 14.15], B can find 
the wanted DL x r + = x by computing all roots of the polynomial Z'l . These at most 
k' = max(fc, deg(Q)) different roots can be computed in time 0(k' log p) EE Corol- 
lary 14.16]. Whether a root x' equals x can be tested by verifying g x = a\. □ 

We have also been able to find a reduction for a general class of decisional problems 
which is efficient for virtually all problems of this class considered in practice. Essen- 
tially, our reduction from the SqDDH problem over G 3 works for all (Ii,I 2 ,l3, Q)- 
BDDHg 3 problems where variables in Ii U I 2 and I3 U {Q} appear with at most linear 
and quadratic exponents, respectively. Our approach for this general reduction differs 
from the one for BDDH we have seen in Section rO in the following way: The BDDH 
reduction is direct in the sense that all reduction steps take place directly in the semi- 
generic model. As an alternative, one could also first “project” BDDH to the group G 3 
by finding an “appropriate” problem which reduces in a single step to BDDH (with 
respect to semi-generic algorithms) and then apply all DDH and SqDDH reduction 
steps to this problem in the standard model. We follow this latter approach in our proof 
for general bilinear decisional problems since it has the advantage that we can resort 
to Bresson et al.’s results for generalized DDH problems IfEHl in the standard model. 
However, this is not straightforward. Since their results are quite restricted we need 
to enhance them to more general problem classes. For more details on our result for 
bilinear decisional problems we refer to the full version EDI- 

5 Analyzing Cryptosystems in the Semi-Generic Model 

Besides for studying cryptographic hardness assumptions, it would also be interesting 
to use the SGGM as a tool to analyze the security of practical pairing-based cryptosys- 
tems. Similar analyzes have been made in the classical GGM ESO- In this section 
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we consider the Boneh-Lynn-Shacham (BLS) signature scheme CTTTfl in the SGGM. 
It turns out that it is possible to prove security of this scheme under the semi-generic 
groups heuristic, by requiring concrete (but non-standard) properties of the hash 
function. 

The BLS signature scheme over a Type 1 bilinear setting is defined as follows. Let 
Hi be a hash function Hi : (0, l} e — > Gi. 

- Gen samples a random generator g of Gi, s <— Z p , and sets pk = ( g , g s ), sk = s. 

- Sign(,sfc, m) computes Hi (to) and returns a = Hi(m) s . 

- Verify {pk, to, a) returns 1, if e(Hi(m),pk) = e(a, g), and 0 otherwise. 

Let us now describe the EUF-CMA security experiment for the BLS signature scheme 
in the SGGM. Here we are facing a technical problem: the BLS scheme utilizes a hash 
function Hi : (0, 1 —> Gi, that is, the output of this map is a group element in some 
given representation. However, in the SGGM we want to consider algorithms which 
are independent of a particular representation of elements of Gi. Since in our model 
elements of Gi are given as list indices, we have no representation of group elements 
that we could use as the range of the hash function. 

One possible solution would be to fall back on the formalization of a generic group 
by Shoup E3- In this model, group elements are represented by unique random bit 
strings. Thus, we could use a hash function that maps to bit strings of appropriate size. 
However, the fact that group elements are encoded as random strings has been subject to 
much criticism Iltil26ll5i . For instance, the Shoup model can be misused to implement 
a random oracle, which is of no avail since we want to avoid random oracles in our 
security proof. Therefore we follow a different approach. We implement Hi as a generic 
group hash function. 

Definition 2. A group hash function is a pair of algorithms H = (GHGen, GHEval). 

- GHGen takes as input a generator g of Gi, and returns A = (ai , . . . , ag) £ Gf . 
Vector A specifies a function Hi : {0, 1}* — > Gi. 

- Algorithm GHEval takes as input a vector A £ Gf and a string m £ {0, 1} (: , and 
returns i?i(m) £ Gi. 

We say that a group hash function is generic, (/'GHGen and GH Eval perform only group 
operations on elements of A. 

Examples of generic group hash functions are the hash function used in Water’s IBE 
scheme m and the programmable hash functions of Hofheinz and Kiltz Oil- 

Generic group hash functions have the useful property that there exist “trapdoor” 
set-up and evaluation algorithms (TrapGen, TrapEval) with the following properties. 

- TrapGen takes as input a generator g £ Gi. It returns a vector A £ Gf, distributed 
identically to the output of GHGen for all g, and some trapdoor information td. 

- Algorithm TrapEval takes as input a vector A £ Gf and a string to £ {0, l} f , and 
returns h such that g h = Hi (to). 

For the security proof we need to demand a strong form of collision resistance. 
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Definition 3 . A group hash function is (e, t. g)-algebraic collision resistant, if 


Pr 


A{A) 


{m 0 ,.:,m q ,i 0 ,:;i q ) : i?i(m 0 ) = g l ° ]^(#i(mj-))'** < e 


for all algorithms A running in time t. 

By employing techniques from fra it is possible to construct hash functions satis- 
fying this property under weak assumptions, like the hardness of computing discrete 
logarithms in Gi, for any constant q. A major drawback is, however, that for these con- 
structions the size S of vector A grows at least linearly with q. We leave it as an open 
problem to study whether there exists a (possibly probabilistic) trapdoor group hash 
function such that S is constant and q = q{n) is a polynomial. 

We formalize the EUF-CMA experiment in the SGGM as follows. At the beginning 
of the game, the challenger samples a random generator g and a secret key x. Then it 
runs (ai, . . . , ag) <— GHGen(g), sets I\ := ( g,g x , oi, . . . , as), and implements a semi- 
generic oracle with input I\ as described in Sectional This provides the adversary with 
the public key, and the ability to perform group operations on elements of Gi. 

When the adversary queries a signature for some chosen message m j, the challenger 
computes H (to*)® and appends it to the list £\ . 

We say that the adversary wins the game, if it outputs a message to and index [s] i 
such that s = H[m) x , that is, the adversary has computed a valid signature for to. We 
say that a semi-generic adversary A (e, t)-breaks the EUF-CMA security of a signature 
scheme if A runs in time t and Pr[yl wins] > e. 


Theorem 4. Suppose there exists an adversary A ( e,t)-breaking the EUF-CMA se- 
curity of the BLS signature scheme in the semi-generic model by making q chosen- 
message signature queries. Then there exists an algorithm B co \\ (edi , idi . q)-breaking the 
algebraic collision resistance of Hi and an algorithm B& (edh fdi) -solving the discrete 
logarithm problem in Gi, such that t ~ t co \\ ft* fji and e < e co |i + eai- 


Proof Suppose there exists an adversary A that outputs a message to and an index [s] i 
such that s = H(m) x . In the SGGM, an adversary has to compute a group element of 
Gi by applying a sequence of group operations to the initial values (g, g x , oi, . . . , as) 
stored in S \ and to group elements added to the list by the challenger oracle in response 
to chosen-message signature queries. Thus, when A outputs (to, [s]i) such that s = 
H(m) x , then the oracle obtains an equation 


H(m) x = g ai ■ ( g x ) a 2 a f II (#( m ;) x ) 7i » ( 3 ) 

or equivalently x ■ (log fl H (m) — Yl'l—i 7 * l°g 9 H (mf) — 0:2) = (x\ + Pi l°g 9 a n 
for integers a*, /%, 7 » known to the oracle. We consider two types of forgers: 

1 . A Type-A forger performs a sequence of operations such that 


log, ; H (to) — ^ 7j log f; H (toj) — «2 = 0 mod p. 


( 4 ) 
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2. A Type-B forger performs a sequence of operations such that 


log s H (m) — ^2 7 » l°g ff H ( rm ) — ^ 0 mod p. (5) 

i=l 

Lemma 1. Suppose there exists a Type-A forger A (e, t) -breaking the EUF-CMA se- 
curity of the BLS signature scheme by making at most q chosen-message queries. Then 
there exists an algorithm B co \\ (edi, fdi> q) -breaking the algebraic collision resistance of 
(GHGen, GHEval) in time t' ~ t with success probability e co n > e. 

Proof. Algorithm B co \\ receives as input a vector A’ = (g' . a' t , , a' s ). It proceeds 
exactly like the semi-generic EUF-CMA challenger, except that it sets g := g' and 
a, ; := a' instead of sampling g at random and generating A by running GHGen(p). 
Thus, in particular B co \\ chooses the secret key i<-Z p and thus is able to simulate the 
original challenger perfectly. 

When A outputs (m, [s]i) such that s = H(m) x , then B co \\ computes and returns 
integers (<22, 71, . . . , 7 q ) as in Equation 0 Observe that if Equation 0 is satisfied, then 
we have H(m) = g 012 • flLi A 

Lemma 2. Suppose there exists a Type-B forger A (e, t)-breaking the EUF-CMA secu- 
rity of the BLS signature scheme. Then there exists an algorithm B& solving the discrete 
logarithm problem in Gi in time tdi ~ t with success probability edi > e. 

Proof. Algorithm B& receives as input a tuple ( g',y ). It sets g := g', g x := y, and 
runs ( A,td ) <— TrapGen(p) to generate the pubhc parameters of the hash function. 
Recall that A is distributed identically to some A ’ generated by GHGen. It sets I\ := 
(g,g x ,ai, . . . , as), and implements a semi-generic oracle with initial list state I\. 

Since B& does not know the secret-key exponent x, it answers chosen-message sig- 
nature queries of A differently. B& makes use of the trapdoor information td gener- 
ated along with A. Whenever A submits a chosen-message m, , £>di computes hi = 
Trap Eva I (to,J and appends y hi to £\. Note that y hi = g x log s H ( Tni ) _ H(rrii) x , thus 
this is a valid signature. 

When A outputs (m, [s]i) such that s = H(m) x , then £>di computes integers (a,;, 
pi, 7j) as in Equation 0 and returns 


a l + Z)»=l A lQ g g a i 


' J&9 ' y log ff H (m) — Ya=i 7 i log g H{mi) — «2 
which is possible since log g H(m) — 1 7* l°g 9 Hfrii) — 0/.2 f Q mod p. 
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Abstract. HFE is a public key scheme introduced by Patarin in 1996. 

An HFE public key is a large system of polynomials in many variables 
over a small finite field. This system results from some secret compo- 
sition, based on which the owner can solve it to any arbitrary vector. 

While the security of the cryptosystem relies on the difficulty of solving 
the public system without the trapdoor information, in 2002 Faugere 
found experimentally that Grobner basis computations perform much 
better on certain HFE instances than on random systems. More specifi- 
cally, Faugere observed that the regular behaviour of the Grobner basis 
computation collapses at a much lower degree than expected for random 
systems, letting the computation finish much earlier. Accounting for this 
distinctive property, Faugere and Joux showed in 2003 that mapping 
HFE systems to some other multivariate ring exhibits the particular al- 
gebraic structure of these systems. Nevertheless, they did not offer the 
actual computation of the degree of regularity of HFE systems. Later, in 
2006, Granboulan, Joux and Stern showed an asymptotic upper bound 
on the degree of regularity of HFE systems over GF(2) using indepen- 
dent results on overdetermined systems of equations. The case of larger 
ground fields has remained however completely unsolved. In this paper, 
we exhibit an additional property of HFE systems that is increasingly 
significant as the size of the ground field grows. Using this property with 
a standard combinatorial calculation yields an arguably tight numerical 
bound on the degree of regularity of HFE systems for any parameters. 

Keywords: multivariate polynomials, HFE, algebraic cryptanalysis. 

1 Introduction 

Solving large systems of multivariate equations over a finite field is one of the 
most recurrent problems in computer science. Although achieving this task seems 
very hard in general and can only be tackled for small sizes by current best algo- 
rithms, sparse classes of systems exist that can be solved efficiently. In the last 
fifteen years, attempts have been made at exploiting this gap to build asymmet- 
ric cryptographic primitives. In a nutshell, the issue has been to find secure ways 
of masking structured systems of polynomials. 

* This paper is an extended abstract. The full version is available from the authors. 
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The HFE Cryptosystem. One of the most prominent proposals in this 
area has been the Hidden Field Equation cryptosystem, introduced by Patarin 
in 1996. HFE is based on an elegant idea introduced by Matsumoto and Imai in 
1988 of deriving a set of multivariate equations from a single variable equation 
over a large extension field; this makes use of the vector space structure of this 
extension field. When the single variable equation can be solved efficiently the 
same holds for the multivariate system, and access to the large field equation is 
restricted by applying secret linear bijections on the variables and equations. 

More formally, let F g denote the finite field with q elements and let <p be 
some linear bijection from F g n, the degree n extension of ¥ q , to (F ? ) n . Such a 
linear bijection is defined by a choice of a linear basis of F g n. To any polynomial 
function P(X ) on F g n, one associates the function <p o P o cf>~ 1 2 on (F g )". In 
HFE, polynomials P have a small degree to ensure efficient root finding. Also, 
they have a special shape which ensures that </> o P o </> _1 is quadratic. This 
function is then composed with secret linear bijections S,T : (F g )" —* (F g )", 
T o o P o (fr- 1 ) o S and the result is released as the public function. HFE can 
be used as a signature scheme and also, with some minor arrangements, as an 
encryption scheme [ I bj . Many variations exist and offer potential enhancements. 

The Security of HFE. The fundamental issue is whether the public function 
is a one-way function. Finding a preimage by the public function is the same as 
finding a solution to the corresponding system of quadratic equations. Denote 
by MQ(g,n) the set of systems of n quadratic equations in n variables over 
F g , and by HFE(g, n, D) the subset of HFE systems where D is the parameter 
that controls the degree of the internal polynomial P. Two lines of work have 
so far been able to distinguish HFE systems from random MQ systems. One 
line of work, proposed in targets so called differential properties of HFE 
functions and was able to produce a distinguisher with proven complexity for 
all parameters ( q,n,D ). The other line of work, proposed in [41911 5j . directly 
targets the difficulty of the preimage problem on HFE systems. It produced 
experimental evidence that for some parameters the preimage problem is much 
easier on HFE systems than on random MQ instances m Since the difficulty 
of the preimage problem on HFE systems is ultimately the issue, one wishes to 
clarify what property is disclosed by the methods used in the second line of work 
and how this property depends on the parameters (q, n, D). So far, the available 
information has been the following. 

1. The experimental evidence has been obtained by using algorithms for com- 
puting Grobner bases [1 211? ! . These algorithms proceed through combina- 
tions with polynomial coefficients of a given set of polynomials and generate 
additional polynomials that can be used to solve the system. 

2. The attacks have only concerned systems over F 2 . Experiments for various 
values of n and D evidenced that the degree of combinations needed to 
compute a Grobner basis (for a graded ordering of terms) on HFE systems 
only depends on D for large enough n M- Unfortunately, no extension of 
this property to larger values of q has been reported. In fact, some authors jx] 
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argued that the size of the field should have a strong negative impact the 
computation and observed it on experiments using the Magma package fTRj . 
3. On the theoretical side, a qualitative account was given in jH| on how the 
combinations performed on the public polynomials correspond to related 
operations on the internal polynomial. Although this clearly initiated a way 
of investigating HFE systems, it has not been followed with the computation 
of theoretical complexity bounds. Nevertheless, the authors in m showed 
that when q = 2, complexity bounds can be heuristically derived from results 
on overdetermined MQ systems. 

We note that quantitative information has only been obtained from experiments 
and on systems over F 2 . The theoretical connections have not permitted to derive 
quantitative information beyond practical reach. Notably, how the phenomenon 
that is observed experimentally varies as q increases has remained unknown. The 
gain of potential enhancements also has, incidentally, remained unclear. 

Our contribution. Recent studies on the complexity of Grobner basis algo- 
rithms focus on the notion of degree of regularity of a system of polynomials [2llj . 
Roughly speaking, the degree of regularity is the smallest degree at which a non- 
trivial degree fall among algebraic combinations of the input polynomials occurs. 
The degree of regularity of HFE systems over F 2 was experimentally found within 
some parameter range in jfi] and asymptotically upper bounded in m using the 
results of m- In this paper, we give a way to compute a numerical bound on 
the degree of regularity of HFE systems over any field and for any parameters. 
This is achieved by using previous ideas and methods present in piFJIIfil in 
combination with an apparently unnoticed additional property of HFE systems 
which is increasingly significant as the size of the ground field grows. 

Organization of the paper. In Section 2, we define the degree of regular- 
ity of a system of polynomials and relate this notion to the computation of a 
Grobner basis. In Section 3, we define HFE systems in greater detail and set 
a few notations. In Section 4, we map the problem of computing the degree of 
regularity to some other multivariate ring where the algebraic structure of HFE 
systems is apparent. This is only a more precise statement of a property used in 
and our upper bound derives from the same observation that the degree 
of regularity is upper bounded by the degree of regularity of any subsystem. In 
Section 5, we show how to compute the degrees of regularity of these subsystems 
by using classical methods such as used in flKij but with the specific properties 
of the polynomials at hand. We deduce numerical bounds for many parameters. 
In Section 6, we derive estimates on the complexity of algebraic attacks on HFE. 

2 Algebraic Properties of a System of Polynomials 

We first give an informal presentation of the notions that will be used in the 
sequel and then give precise definitions and statements for our particular setting. 
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2.1 Solving a System of Multivariate Equations 

Suppose we face the problem of finding the common roots of a system of poly- 
nomials pi , . . . , pk in a multivariate ring R over a field. Would this system be in 
few enough variables to be tried by hand, one would probably try to combine 
the given polynomials to derive “simpler” ones, that is, that make it easier to 
discover the space of solutions. For instance, one may try to obtain a polyno- 
mial in fewer variables, or with a smaller total degree. In any case, combining 
the given polynomials always comes down to consider polynomials of the shape 
mipi -| h mkPk for some polynomial multiples mi, . . . , m*,. Hence, these poly- 

nomials are linear combinations of p ± , . . . , p^ with coefficients in R. And the goal 
is then to find such a linear combination within some target subspace of R. 

To do this mechanically, one may consider two main strategies. Either one 
chooses a priori search spaces for the m* (for instance, polynomials with degree 
under some bound) and one performs linear algebra on their coefficients. (This is 
the basic idea of XL algorithms j.^ll fjl .) Or one defines a priority list among terms 
to be eliminated (called an ordering) and one performs systematic leading term 
reductions on polynomials p\ , . . . , pk and the new polynomials that are generated 
by this process, until it can be predicted that any further combination will 
reduce to zero. (This is the basic idea of Grobner bases algorithms [.'-ill 411 Pin) . 1 
These two strategies are not as different as it could seem. Indeed, to reduce the 
head terms of polynomials p\, . . . ,pk the ones by the others, one determines the 
respective sets of multipliers {mi}, . . . , {rrik} that are needed to do so. Then 
it remains to perform linear algebra on the resulting combinations and iterate 
with polynomials with new head terms that may be found in this process. Both 
strategies therefore have a clear intersection although Grobner bases algorithms 
are natively more careful with the number of combinations to be dealt with. 

In any case, it is convenient to arrange the available combinations with respect 
to their total degree. For any integer d > 1, let V d denote the set of combinations 
of degree d multiples of p\ . ... ,pk- It is a linear subspace of all polynomials of 
degree at most d. This paper focuses on an intrinsic parameter of polynomials, 
which we call degree of regularity. This parameter was introduced in 12 m. it 
is commonly considered as the main complexity parameter for the following in- 
tuitive reasons. Let A be an algorithm that computes such combinations, and 
indexing its execution steps by t, one may consider the subspace V d [A(t)} of 
combinations of degree d multiples that are computed through A up to t. Obvi- 
ously, Vd[^4(t)] CV d C R< d . Now, choose a target subspace W d C R< d . There 
exists an element of W d among combinations in degree d when the intersection 
of V d and W d is not zero and such a combination is found by the algorithm A 
before step t if V d \A(t)\ fl W d ^ {0}. When the polynomials pi, ... ,pk are not too 
specific, the intersection of V d and W d is expected to be non-zero only when the 
sum of their respective dimensions exceeds the dimension of R< d itself. In this 
case, any algorithm A can just consider combinations in degree d to find a non- 
zero element of W d . It is assured to find one at step t if V d [A(t)} = V d . On the 
other hand, should the intersection of V d and W d be non-zero at a significantly 
lower degree than expected for a random subspace V d would suggest that the 
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polynomials pi,...,pk are not random. Interesting choices of a target subspace 
Wa are polynomials of low degree. For instance, one may consider whether there 
exists a non-zero polynomial of degree strictly lower than d among combinations 
in degree d. Such a combination is called a degree fall and the smallest degree 
at which such a degree fall occurs is essentially the degree of regularity. A pre- 
cise definition will be given in the sequel. An algorithm A finds the degree of 
regularity when at some step t its subspace of combinations in degree d contains 
a degree fall. At this point, it is worth noting that when using a Grobner basis 
algorithm it is best to use an ordering that refines the degree. Indeed in this case 
new head terms are confined among the smallest degree monomials. 

The degree of regularity permits to distinguish a system of polynomials from 
random. Furthermore, any degree fall can give a new whole set of multiples 
in degree d or even below, which can be further combined with the existing 
combinations. Moreover, the dimension of Vj 4 usually takes large steps as one 
increments d and then, many degree falls appear at once. These degree falls in 
turn help the appearance of new degree falls in lower degrees. Either these degree 
falls are low enough to solve the system (e.g. linear polynomials) or one pushes 
the computation until obtaining a complete Grobner basis. 

2.2 Systems with Field Equations over a Finite Field 

In the setting of cryptographic schemes, the coefficient field is a finite field F (; 
(with q elements) and the solutions are searched with coordinates in this finite 
field. Let x \ , . . . , x n denote the variables of R. Then one actually searches for 
the solutions of the system {p\ = 0, . . . ,pk = 0} with the additional equations 
{xj — x\ = 0, . . . , x® — x n = 0}. Equivalently, since the x, describe values in F g , 
all monomials in R can be reduced according to the rules x{ = x*, % = 1 , ... ,n. 
Then, all combinations of the polynomials pi,. ■ .,pu can be considered in the 
reduced ring R q = F g [xi, . . . ,x v \/{x\ — Xj c'f t — x n }. 

While in the sequel we compute the degree of regularity of underdetermined 
systems ( k < n) in a reduced ring, it serves in upperbounding the degree of 
regularity of a public HFE system with exactly n polynomials. In this case, the 
expected number N of solutions is hardly more than one and it can be shown 
that any Grobner basis for any ordering that refines the degree contains at least 
n — N linearly independent degree- 1 polynomials (c/ full version). Hence, our 
setting makes it particularly easy to derive the solutions from a Grobner basis. 

Since in the sequel we only encounter systems of quadratic polynomials, for 
convenience sake we specialize the following definitions to this case. Let pi, ... ,pk 
be a system of quadratic polynomials in R q . For any integer d> 2, consider the 

subspace of combinations niipi -\ 1- mkPk where the to; have degree at most 

d — 2 in R q . By definition, it is the image space of the map 

d (Pi , • • • ,Pk) ■ (mi, . . .,m k ) e (( R q )<d-2) k ' — * mipi -| h m k Pk- 

An important observation is that the kernel of cr<j(pi , . . . , pk) always contains pre- 
dictible non-zero tuples called trivial syzygies. Examples of trivial syzygies are 
the combinations over R q of the fc-tuples with rrii = pj, rrij = —pi for some i,j 
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and 0 otherwise. A formal definition of trivial syzygies is the following. For in- 
determinates yi,. ■ ■ ,y k , let T q (yi , . . . , y k ) denote the set of fc-tuples (mi, . . . , m k ) 

over R q [y yk}/{y\ - Vi, ■ ■ ■ ,y k ~ Vk} such that mij/i H h m k y k = 0. For 

any polynomials pi, . . . ,p k over R q , we call trivial syzygies of pi, ... ,p k the 
evaluations of the fc-tuples in T q (yi , . . . , y k ) at (pi,. . ■ ,p k ) ■ 

When searching for degree falls, we are only interested in the subspace V,i 
spanned by the highest degree homogeneous part of the image of crd(pi, ■ ■ • ,p k ). 
This subspace is spanned by the degree d homogeneous parts of the combinations 
iniPi + • • ■ + yn k pk where mi , . . . , rn k are homogeneous polynomials of degree 
d— 2. We define a degree fall in degree d of pi , . . . , p k as a /c-tuple (toi , . . . , rn k ) 
of degree d — 2 homogeneous polynomials such that the degree d homogeneous 
part of rnipi + • • • + m k p k is zero. The degree d — 2 homogeneous parts of the 
trivial syzygies of p \ , . . . , p k in degree d — 2 are trivially degree falls and we call 
them trivial degree falls. We call the degree of regularity of pi, ... ,p k the 
smallest d such that a non trivial degree fall of p \ , . . . , p k exists in degree d. 

3 Definition of HFE Systems 

The construction of HFE systems is based on the linear isomorphism between 
(F g )" and F g »* over ¥ q . Recall that ¥ q n is a degree n polynomial extension over 
F g and as a consequence is an n dimensional vector space over F g . Any choice 
of a basis of F g »» defines a linear bijection S from (F g ) n to ¥ q n , and extends to 
a linear bijection ips from functions on Fg» to functions on (F g )" by: 

tps : P ^ S- 1 o P o S 

Recall that functions on (F g ) n are uniquely represented by n-tuples of polynomi- 
als in R q = Fg[xi, . . . , x n ]/{x\ — xi, . . . , xf — x n } and that functions on F g « are 
uniquely represented by polynomials in ¥ q n[X]/{X qn — X}. This gives an ex- 
pression of 'ips on polynomials: ips ■ ¥ q n. [X]/ {X q — X} — » {Rq) n ■ Also recall 
that raising to a power of q is linear over F g and that the n distinct g-powerings 
on F,n are called the Frobenius maps. More generally, for any power function 
X a in ¥ q n[X]/{X q " — X}, we call g-degree of X" the sum ao + • • • + a n _ i, 
where (ao, oi, . . . , a n _ i) is the decomposition of a in base q. In particular, con- 
stants have g-degree 0 and Frobenius maps have g-degree 1. Since any function 
in F,n[W]/{X9 n — X} is a linear combination of power functions, we define q- 
degree as the maximal g-degree of its terms. The following proposition ensures 
that ips maps g-degree in ¥ q n[X}/{X qn — X} to degree in (R q ) n . 

Proposition 1. Let S be an arbitrary linear bijection from (F g ) n to Fg«. For 
any integer d > 0, ips defines a bijection from polynomials in F g n [ X\/{X q — X} 
with q-degree d to n-tuples over R q with degree d. 


Please refer to the full version for a proof. We are now ready to define HFE 
systems. Recall from the introduction that an HFE public key is the data of the 
n coordinate polynomials of a composition To Po S where S' is a linear bijection 
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from (F g ) n to F g n, T is a linear bijection from F g n to (F g )" and P is a function 
on F qn which as a polynomial in ¥ qn [X]/{X q — X} has the shape 

P{x) = E iJ < D PijX*+*‘ + E k < D * k x qk + c 

where D is a parameter of the scheme. For any linear bijection S, we call HFE 
systems the systems in ( R q ) n which are the images by ips of the polynomials 
P(X) of the above shape. We see from the above proposition that HFE systems 
are quadratic and that their only particularity in this class is to correspond to a 
polynomial P(X) of degree upper bounded by 2 q D . Since T is a linear bijection, 
an HFE public key has all the algebraic properties of an HFE system. 

4 Combinations of HFE Polynomials 

In this section, we map combinations of HFE systems to related operations on the 
defining polynomial in F g n [X] / (X q —X). This mapping was outlined in (T3| and is 
made precise here. Incidentally, it is independent of the particular shape of HFE 
defining polynomials and hence is valid for any cryptosystem following a similar 
construction. To lighten the notation, we now denote lZ q n = F g » [X\/{X q — X). 
This section is a chain of technical points which are necessary to make the 
mapping complete. For a quick reading, one may jump directly to subsection 14.41 

4.1 From Combinations in R q to Combinations in 7 Z q n 

Let P be any polynomial in 1Z q n and (pi, . . . ,p n ) = ips(P)- We have defined 
combinations of pi , . . . , p n as linear combinations of pi , . . . , p n with coefficients 
in R q . Hence, n-tuples of linear combinations over R q are products by n x n 
matrices over R q . Proposition 1 implies that ipg 1 is a linear bijection from linear 
maps on (F g )" to linear combinations over F g n of the Frobenius maps. We extend 
this result when coefficients are in R q and TZ q n instead of F g and F g » . 

Proposition 2. Let S be an arbitrary linear bijection from (F g ) n to F g n . There 
exists an F q -linear bijection ipg from (7Z q n) n to n x n matrices over R q , such 
that for any Mo, . . . , M n _ i and P in lZ,f , 

Tp* S {Mo, M n _!)V>s(P) = 'tps(M 0 P q ° + ■ -4 M n -iP qnl ). (1) 

Proof We simply construct tpg by hand by considering the above identity over 
the set of constant functions P = a with a in F g n . Since i ps is linear we only need 
to consider P = a for a over a basis of F g n. For any i = 1 , . . . , n, let e t £ ¥ q n de- 
note the image by S of the i-th canonical vector of (F 9 ) n . For any Mo, . . . , M n _ i, 
■0g(Mo, . . . , M n _i)'0g(ej) is the i-th column of ipg(Mo , . . . , M n _i) and must 
be set to V’sEz—o ^k{ e i) q )■ is linear by the linearity of ip , 3 . Consider 
(Mo, . . . , M„_ 1 ) whose image by ip* s is zero. Then, ip 3 being a linear bijection, 
for any i = 1, ... , n, we have Efc=o i e i) q -M^ = 0. The only solution to this 
invertible system is Mo = • • • = M n _ 1 = 0, which proves that ip* s is injective. 
Surjectivity follows ip* s mapping subspaces of identical dimension over F g . □ 
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Equation © over the constants e, also shows that the g-degree of 
(Mo, . . . , M„_i) equals the degree of Vs (Mo-. ■ ■ ■ , M n _i). In particular, for any 
P of g-degree 2 and d > 2, we define 

U<d{P) = {m 0 P«° 4** ■ ■ + Mn-iP* n ~* I g-deg(Mi) < d - 2, i = 0, . . . , n - 1 } 

and on the other hand, for (pi, ... , p n ) = ips (P) , 

V<d(pi, ■ ■ ■ , Pn) = {mipi -\ 1- m n p n | deg(m/) < d — 2, i = 1, . . . , n} . 

Property 1. For any d > 2, ips is a bijection from U<d(P ) to (V<d('Pi , • • ■ , p n )) n - 

Proof, ip* s transforms n-tuples of g-degree < d - 2 to n x n matrices of degree 
< d — 2. Both spans have the same dimension over F g by Proposition 1, hence 
ij)g is a bijection from the one to the other. Finally, the property holds by the 
identity satisfied by tp* s and evaluated at the particular P. □ 

Since the dimension of (V<d)" is n times the dimension of V<d and the dimension 
of U<d over F g is n times its dimension over F g n, the property implies 

dimjF 9 ( V<d(pi , • ■ ■ ,p n )) = dim F9 „ (U< d (P)) . 

4.2 From Degree Falls in R q to (/-Degree Falls in 

When considering degree falls, one is really interested in the subspace spanned 
by the highest degree homogeneous part of a bounded degree combination space. 
For any quadratic polynomials p\,...,p n in R q and any integer d > 2, let 
(pi , ■ • • , p n ) denote the subspace generated by the degree d homogeneous parts 
of polynomials in V<d(pi, ■ ■ ■ , p n ) ■ Similarly, for any polynomial P of g-degree 
2 in 7 Z q n and any integer d > 2, let Ulf(P) denote the subspace of g-degree d 
homogeneous parts of polynomials in U<d(P)- Quite expectably, we have: 

Property 2. Let P in 1Z q n and (pi, . . . , p n ) = ips(P)- Then, for any d > 2, there 
exists an F, r linear bijection from U^{P) to (Vj(pi, • • • , p n )) n - 

Proof. The highest degree homogeneous part of a polynomial p in R q with degree 
d > 2 is its class mod (R q )<d~ i- Hence, Vjf(pi, . . . ,p n ) is V<d(pi, ■ ■ ■ ,p n ) mod 
{R q )<d- 1 - Similarly Uf}(P) is U<d(P) mod (TZ q n)<d-i- Let Q and Q' be arbitrary 
polynomials in lZ q n such that Q = Q’ mod {R q ^)<d-\- Then, Q—Q’ has g-degree 
at most d — 1. Since ips preserves the degree, ips(Q — Q') has degree at most 
d— 1. Hence, since ips is linear, ’ips(Q) = 't-Ps(Q') mod ((R g )<d-i) n - Therefore, ips 
induces an F g -linear map from 7 Z q r mod i to ( R. q ) n mod {(R q )<d-i) n ■ 

Since ips is a bijection from U<d(P ) to (V<d(pi , ■ ■ • ,p n )) n , the induced map is 
a bijection from U% (P) to {Vjp(pi, . . . ,p n )) n ■ □ 

Let R q denote the set of homogeneous polynomials of R q . For any polynomial p 
in R q and any integer ri > 0, let [p] d denote the degree d homogeneous part of 
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p. For any system pi , . . . ,p n of quadratic polynomials in R q and any d > 2, the 
degree falls of pi , . . . , p n in degree d are the kernel of the map 

0 d(pi, • • • ,Pn) : (mi, . . .,m n ) G ((R%) d - 2 ) n ' — ♦ [mm H b m n p n \ d . 

With completely transposed notations, for any P of (/-degree 2 in lZ q n and any 
d > 2, we define the g-degree falls of P in degree d as the kernel of the map 

E${P) : (M 0 , . . . ,M n _!) G ((: H h q n) d -2f [M 0 P+M 1 Pi + • • • + M n _ 1 Pi n ~ 1 ] d 

The image spaces <J d (pi, ■ ■ ■ ,p n ) and E d {P) respectively are V q (pi, . . . , p n ) and 
U d (P)- Property 2 ensures that when (pi, . . . ,p„) = i>s(P) the image spaces of 
(<J d (pi, ■ ■ ■ ,p n )) n and E d (P) have the same cardinality. Besides, Proposition 1 
ensures that the same holds for their input spaces. Therefore, the kernels of 
(<J d (pi, ■ ■ ■ ,p n )) n and £ d (P) have the same cardinality. Finally, 

dim F , (ker a d (pi , . . . ,p n )) = dim Fl! „ (ker E d (P)). (2) 

4.3 Trivial Syzygies and Trivial Degree Falls 

Trivial syzygies of pi, . . . ,p n are n-tuples over R q such that mipiH b m n p n = 0 

even when pi , . . . , p n are indeterminates. They are precisely defined the following 
way. Let R q denote the extension of R q with additional variables yi, . ■ • ,y n , 
Rq = Rq[yi,..., y n ]/{yl ~ 2 / 1 ,- •••:(/?, - y n }- Let T q (yi, ...,y n ) denote the set 
of n-tuples (mi, . . . , m n ) over R q such that mm + • • • + m n y n = 0. For any 
polynomials pi, . . . ,p n in R q , we define its trivial syzygies as the evaluations of 
the n-tuples in T q (yi , . . . , y n ) at (pi, . . . ,p n ). As a shorthand, let T q (pi, . . . ,p n ) 
denote the set of trivial syzygies of pi, . . . ,p n . 

Elements of R q are polynomials in both X \ ..... x n and y\, , y n . For any 
monomial in R q , let d x , d y denote its degrees in xi,...,x n and in y-[, ... , y n 
respectively. Since variables yi , . . . , y n are intended to be specialized at quadratic 
polynomials pi, . . . , p n in R q , we define the (1, 2)-degree of a monomial in R q 
as d x + 2 d y , and the (1, 2)-degree of a polynomial in R q as the maximum of the 
(1, 2)-degree of its monomials. Hence, any element of T q (yi . . . . , y n ) with (1, 2)- 
degree d yields an element of T q (pi . . . . . p n ) with degree < d. We call trivial 
syzygies of pi , . . . , p n with designed degree d the elements of T q {pi ..... p n ) whose 
corresponding element of T q (yi, . . . , y n ) has (1, 2)-degree d. The trivial syzygies 
with designed degree < d are denoted by T q (pi , . . . , p n )<d- On the other hand, 
one may analogously consider the extension of lZ q n with additional variable Y, 
1i qn = 7e g n[y]/(y9 n - Y), and define T,»(F) as the n-tuples (M 0 , . . . ,M n _ i) 
over TZ q n such that MqY + M{Y q + • • • + M n _ i Y q ” = 0. For any P in 7 Z q n, 
let T q n(P) denote the evaluations of the n-tuples in T q n(Y) at P. Finally, for 
any P of g-degree 2 and any d > 0, we let T q n(P)^ d denote the elements whose 
corresponding elements in T q n(Y) have (1, 2)-g-degree d. By a series of simple 
extensions of the previous results, we can show ( cf full version) 

Property 3. Let P in lZ q r, of g-degree 2 and (pi, . . . ,p n ) = tps(P)- For any d > 0, 
dim F() (T q (pi , . . . ,p„)-<d) = dim Fg „ (T q n (P)^ d ). 
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The polynomials p\, . . . ,p n being quadratic, for any d> 2, we call trivial degree 
falls of pi, ... ,p n in degree d the homogeneous parts of (actual) degree d — 2 
of the elements in T q (pi, . . . ,p n )^.d -2 and denote them (with a slight abuse of 
notation) by T q (pi, . . . ,p n )d- 2 - Similarly, for P of (/-degree 2, we call trivial q- 
degree falls of P in (/-degree d the homogeneous parts of (/-degree d — 2 of the 
elements in T q (P)^.d -2 and denote them by T q (P )^_ 2 . We have (c/ full version) 

Property 4- Let P in R q n of (/-degree 2 and {p \ , . . . , p n ) = 'ips{P). For any d> 2, 

dim Fij (T 9 (pi, . . . ,p n )d-2 ) = dimjF^ (T 9 n(P)J_ 2 ). 

4.4 Mapping the Degree of Regularity from R q to 

Recall that the degree of regularity of a system of quadratic polynomials 
Pi , . . . , p n is the smallest integer d such that a non-trivial degree fall exists in de- 
gree d. With the previous notation, this is the smallest d such that the kernel of 
cr(j (pi, . . . ,p n ) is strictly larger than T q (pi, . . . ,p n )d- 2 ■ Now, let S be an arbitrary 
linear bijection from (F q ) n to ¥ q n. and P in TZ q n. such that il>s(P) = {P\ ■ ■ ■ ■ ■ Pn)- 
Then, P has (/-degree 2 and, by Equality 0 and Property 3, 

Property 5. the degree of regularity of pi , . . . , p n is the smallest d such that the 
kernel of P^'(P) is strictly larger than T q r, (P)(j'_ 2 - 

Hence, we obtain an equivalent characterization of the degree of regularity of 
Pi , . . . , p n in term of the associated polynomial P in lZ q n . In the remainder 
of this section, we slightly modify the above characterization to make it more 
conveniently usable in the analysis of the next section. 


Multivariate representation of lZ q n. Our first step is a simple alterna- 
tive notation for the elements TZ q n. This notation was proposed in 0 ■ As 
already seen, we can split any power of X according to the decomposition 
in base q of the exponent. Now simply introduce a distinct notation for the 
Frobenius of X: for i = 0, . . . , n — 1, let Xi denote X q ‘ . Observe that for any 
i = 0 , ii — 1, X? — Xj + i = 0 where the indices are taken modulo n. Using 
these relations, any power of X corresponds to a unique multivariate mono- 
mial in Xo, . . . ,X n -i. It extends trivially to all polynomials in 7 Z q n. Addition 
and multiplication are compatible with this notation. Therefore, 1Z q n identifies 
as a ring with ¥ q n [A 0 , . . . , X rl _ x ]/ {X c { \ — X x , ... . X q n _ l — A 0 }. Along with this 
identification, (/-degree becomes degree in the multivariate ring. Also, for any 
polynomial P in 1Z q n , let Po, . . . , P„_i denote its successsive Frobenius. For any 
i = 0 , . . . , n — 1, P? — P ^ |- 1 = 0 where indices are modulo n. When P has (/-degree 
2, its Frobenius are multivariate quadratic polynomials. Since the P-termed sets 
really express in terms of the Frobenius of P, they are conveniently rewritten 
with the above notation. Hence, E^(P) rewrites to 

u£(Po, . . . , P n - 1) : (M 0 , . . . , M„_i) e (U h qn )d-2 -> [M 0 P 0 + - • + M^P^. 
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The ring U q n = ft,»[y]/(y« n - Y) rewrites to Tl q n[Y 0 , . . . ,Y n _i]/{Y$ - 
Yi, . . . ,Yff j — Y 0 }. The set T q n(Y) rewrites to T q n(Y 0 , . . . , Y n i). the n-tuples 

(Mo, . . . , M„_ i) over 1Z qn such that M 0 Y 0 H b M n _iy n _i = 0. Hence, T q n ( P ) 

identifies with P q n (Pq, . . . , P n _i). And the elements of T q ™(Po , . . . , P n -i) q are 
the degree d homogeneous parts of the elements of T q n (Pq, . . . , P n -i)<d. Finally, 
our characterization (Property 5) rewrites to, when (pi,... ,p n ) = Ps(P), 

Property 6. the degree of regularity of pi , . . . , p n equals the degree of regularity 
of Po, . . . , P„_ i, the n Frobenius of P in the multivariate representation of lZ q r. . 

At this point, our task is reduced to studying the degree of regularity of the 
quadratic polynomials Po, . . . , P n - i in TZ q n , and we do not need to address the 
polynomials pi,...,p n any further. The next paragraph is devoted to refining 
the characterization of the degree of regularity of Po, . . . , P n - i- 

Characterizing the Degree of Regularity of Systems of 1Z q n. . Our first 
observation is a simple one: the highest degree terms of combinations in degree 
d oi Po, ... , P n -i only depends on their highest degree terms Po, ... , P n ~ i- 

Property 7. The degree of regularity of quadratic polynomials in TZ q n equals the 
degree of regularity of their degree 2 homogeneous parts. 

Proof. For any degree d — 2 homogeneous polynomials Mo , . . . , M„_ i, the asso- 
ciated combinations of Po, . . . , P n -i and Po, . . . , P n -i have the same degree d 
homogeneous part. Hence, degree falls in degree d are the same for both systems 
of polynomials. On the other hand, the trivial syzygies of Po, . . . ,P n -i of de- 
signed degree d — 2 have the same degree d — 2 homogeneous parts as the trivial 
syzygies of Po, . . . , P n -i of designed degree d — 2. The property follows. □ 

Our second observation is more subtle: when considering combinations of the 
quadratic homogeneous polynomials Po, . . . , P n -i with degree d— 2 homogeneous 
coefficients, terms of degree smaller than d can only appear with reductions mod- 
ulo the polynomials X'f — X l+i , i = 0 ,.. .,n — 1. Since all terms with degree 
smaller than d are discarded, the same result is obtained as when performing 
combinations in the ring lZ q n = [A 0 , . . . , X n _i]/{X^, . . . , A'®_ 1 }. Consider- 

ing combinations in 1Z q « rather than in lZ q n, the map ( Pq , . . . , P n - i) simply 
rewrites to E%(P 0 , . . . , P n - 1 ): 

(M 0 , . . . , M n _i) e ((n h q „) d ^) n e-> M 0 P 0 + M%Pi + • • • + M n _iP n _i. 

Furthermore, we can equivalently characterize the trivial degree falls using the 
ring structure of PL q n . Consider 1Z q n = TZ q „ [Y 0 , . . . , Y n _i\/ {Yf , . . . , Yff_ x } and 
the associated set T q n(Yo, . . . ,Y n _i). For any d > 0, we can define the sets 
T q n(P 0 , . . ., P n _i)^ d and T qn (P 0 , . . . , P„_i)^, exactly as before. 

Property 8. For any d > 0, the sets T q n(P 0 , . . . ,P n -i) d and T g n(P 0 , . . . ,P n _i)% 
are identical. Therefore, for any d > 2, the trivial degree falls of Po, . . . , P n -i in 
degree d are the elements of T q n (P 0 , . . . , P n ~i) d _ 2 . 
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Proof. For any (M 0 , . . . , M„_ i) in T q n (Y 0 , . . . , Y n _ i), let Q denote the combi- 
nation MqYq + ■ ■ ■ + M n _iY n _i in TZ q n[Yo , . . . , Y n _ i]. Since Q is zero modulo 
Yq , , Yf_ j , any of its term is divisible by at least one of Yq .... . Yf t _ 1 . Since 
Mo, . . . , M n _ i have degree at most <y — 1 in any Y % . any term of Q can have degree 
q in only one single indeterminate and at most q— 1 in all the others. Therefore, 
any term of Q exactly has degree q is one indeterminate and at most q — 1 in all 
the others. Hence, Q admits a unique decomposition AqYq + • • • + A n _\ Y'f _ . 
Using the unique polynomials A 0 , . . . , A„_i associated to (M 0 , . . . , M„_i), we 
construct an element (Mq, . . . , M' n _f) of T q n (Y q. . . . , K„_i j by setting for all 
i = 0 1, M[ = Mi — Ai_\ (indices are modulo n). Now, observe that 
the terms of Ao , . . . , A n _ i consist of terms of Mo, . . . , M n _ i divided by one in- 
determinate to the power of q — 1. As a consequence, each of them has a total 
degree in the Yi variables smaller (by q — 1) than the one it originates from. In 
particular, when Mo, . . . , M n _ i have (1, 2)-degree at most d, M ' 0 , . . . , M' n , re- 
spectively have the same terms of (1, 2)-degree d as Mo, . . . , M n _j because they 
differ by terms of strictly smaller (1, 2)-degree. □ 

Hence, we end up with the following characterization which we use in the sequel. 

Property 9. Let Po,...,P n ~i be homogeneous quadratic polynomials in !Z q n . 
The degree of regularity of Po , ■ • ■ , Pn - 1 can be computed in 'R, q n as the smallest 
d > 2 such that degree d — 2 homogeneous n-tuples (Mo, . . . , M n _ i) satisfying 
M 0 Po + h M n _iP„_i = 0 exist besides the elements of T q « (P 0 . . . . , 

5 Bounding the Degree of Regularity of HFE Systems 

We first describe the proof principle of our upper bound and then perform the 
combinatorial computations that convey the result. 

5.1 Upper Bounding the Degree of Regularity 

First consider arbitrary homogeneous quadratic polynomials Po, • • • , Pfc-i in 
7 Z q n where k < n. The dimensions of the kernel and the image of the map 

J^(P 0 ,...,fVi): ((7V)t 2 ) fc — (7V):| 

(Mq, . . . , Mfc_ i) i — ♦ M 0 P 0 + Mi Pi + • • • + Mfc_iPfc_i 


relate to each other by 

kdim(lZ qn )%_ 2 - dimker £%(Po, . . . ,P k -i) = dimIm(^(P 0 , • • • ,-Pfc-i))- 

Not knowing what the degree of regularity of the system is, one can assume 
that it is not reached while incrementing d. In this case, the kernel is assumed 
to contain only the trivial elements of T q n (P 0 , . . . , Pfc- i)d- 2 - Since the image is 
confined in (7t q n)j, a contradiction to this assumption appears as soon as 

k dim('IZ q n)d_2 — dim'7' (P 0 ,- • .,P k -i)d-2 > dim(^n)(j 
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and then we know that the degree of regularity was reached before. The smallest d 
satisfying this “saturation” condition is therefore an upper bound on the degree 
of regularity of Po, . . . ,Pk-i- Since it is valid for any homogeneous quadratic 
polynomials, we refer to it as the MQ bound. 

We now show how in the case of HFE systems better bounds can be obtained. 

5.2 The Case of HFE Systems 

It was noted in that when Po, . . . ,P n -i are obtained from the Frobenius 
of an HFE polynomial P, they express over small shifted sets of consecutive 
variables: Po expresses over Xo to Xu, Pi expresses over X\ to Xu+i, 

P„_ i expresses over X n _i to Xu-i (indices are modulo n). Then, the authors 
noted that a consequence of this property is that small subsystems of consecutive 
polynomials only involve a small subset of the available variables. Consecutive 
subsystems of a prescribed size being all equivalent up to a cyclic shift, we focus 
on the n subsystems S k = {Po, • . . , I\-\ } for k = 1 . . . . , n. The subsystem Sk 
expresses over the first m k variables, where mk = D + k for all k < n — D and 
Wfc = n beyond. The degree of regularity of Po, . . . , P„- 1 is upper bounded by 
the respective degrees of regularity dk of the subsystems Sk for all k = 1 , . . . , n. 
Indeed the degree falls of Sk identify with the degree falls of Po, . . . , P n -i with 
zero on the last n — k coordinates. On the other hand we will show in Section IHTH 
(Property ITTIl that whenever a degree fall is non-trivial for Sk, its completion 
with zero on the last n—k coordinates is non-trivial for Po, . . . , P„_i. At this 
point, the authors of estimated the degree of regularity of any subsystem Sk 
by using an asymptotic formula from j2j. This needed restricting to q = 2 and 
assuming that the quadratic polynomials Po, . . . , Pk~i,X §, . . . , X% lk _ 1 satisfy 
the condition for which the formula holds. Instead, we use the previous saturation 
bound: we upper bound the degree of regularity of Sk by applying the MQ bound 
to Po, . . . , Pfc-i- Hence it is upper bounded by the smallest d such that 

fcdim('R. 9 n| mfe )(j_ 2 - dirnT 9 n| mfe (P 0 , . . .,P k - i)d_ 2 > dim(7t,T.| m j£ (3) 

where 'R.,^\ mk denotes the restriction of to the first to*, variables. Since this 
upper bound uses a property showed in ca, we refer to it as the GJS bound. 

We now observe an additional property of HFE systems. Since polynomials 
Po, . . . ,P„-i write over monomials X,X l+ ( with £ < D, combinations of these 
polynomials necessarily write over the monomials which are divisible by X{Xi + (_ 
for some i and £ < D. Let Ad^ denote the subspace spanned by such monomials. 
For any subsystem Sk, we improve the GJS bound by the smallest d such that 

fcdirn(^| m jt 2 - dim3>| mfc (Po, . . ,,P k - i)S_ 2 > dim(Adf \m k ) h d (4) 

where (Ad ^\ denotes the subspace spanned by degree d monomials of Ad^ 
in the first m k variables. The distinction between Ad'J and IZ^n is increasingly 
significant as q grows. Indeed, at fixed n and d, the average Hamming weight of 
multidegrees in degree d decreases as q grows. Then, the proportion of monomials 
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containing two variables distant by at most D indices (mod n) grows thiner. We 
call HFE bound the upper bound on the degree of regularity of Po, . . . , P n -i 
obtained from the latter improvement. 

We now compute for any d > 2 and any k = 1 , ... ,n, the above dimensions 
by means of induction formulae and deduce the related numerical upper bound. 

5.3 Induction Formulae for Computing Our Upper Bound 

We show how to compute the dimensions of {lZ q n \ m )^, (Ad^| m)(j and 
Tq”\ m (Po, ■ ■ ■ , Pk-i)d> for any m,k= l,...,n. 

The dimension H(m,d) of (lZ q r,.\ m )^ is simply the number of homogeneous 
monomials of degree d in to variables, where all exponents are bounded between 
0 and q — 1. Obviously, it equals H(m, d) = 0 for d < 0, or d > 0 and m < 0, 
we have H(m, 0) = 1 for all m, and when d > 0,m > 0 it satisfies the induction 
H ( to , d) = X^a=o H(m — l,d — a) ■ Equivalently, H (to, d) is the d-th term of the 
series ((1 — z q )/{ 1 — z)) u of term z. In particular, for q = 2, H(u,d) = (^). 


The Number of Monomials Arising in Combinations of HFE. For any 

d > 0, and u = 1 n, let C(u,d) denote the dimension the complement of 

{M. q \ u)% in (1Z q ny u ) q . This is the number of monomials of degree d in a consecu- 
tive variables, with exponents modulo q, such that all variables with non-zero ex- 
ponents have indices (modulo n) distant by at least P + 1 positions. First, ignore 
that distance between indices is taken modulo n, and that we allow for instance 
Wo and W„_i to have both a non-zero power. Then, C'(u, d) is given by the simple 
“Pascal’s triangle” formula C'(u, d) = C'(u — 1, d) + X^=i C'(u — D — 1, d — ot) 
for any u = 1, . . . , n, where C(u, 0) = 1 and C(u, d) = 0 whenever d < 0 or u < 0. 
When u is lower than n — D, then the requested dimension C(u. d) is there equal 
to C'(u, d) since the last D variables have zero exponents. Otherwise, when u > 
n—D, the distance must be taken modulo n, so we deduce all values of C(n, d) by 
considering the partitions defined by monomials containing Wo, plus monomials 
containing X\, , plus monomials containing Xd~i, plus monomials containing 

none of them. Hence, C(u, d) = C'(u — D,d) + D X^a=i C'(n—1 — 2D, d— a). 
Finally, dim(At^| u)% = H(u,d) — C(u,d). 


The Dimension of Trivial Syzygies in Degree d. Simply denote 'R. q „ \ by 
7 Z m . Our first step is to exhibit generators for the module / T rn (Yo , . . . , Yfe_i). 

Property 10. An n-tuple (Mo, . . . , M^_ i) is an element of 'T m {Y( U . . . , Yk~ i) if 
and only if it is a combination with polynomial coefficients of the n-tuples 

r 1 y = (0, . . . ,0, Mi = Yj,0, ... ,0, Mj = -y i; 0,...,0), i,j = 0,...,fc- 1, 
\<2>i =(0,...,0,M i = y i 9 " 1 ,0,...,0), * = 0,...,fc— 1. 

Proof. For any n-tuple (M 0 , . . . , M*,), decompose Mi into MjY- 1 ^ 1 + M[. An n- 
tuple (M 0 , . . . , M k ) is an element of (y 0 , • • • , Y k ) if and only if M 0 Y 0 H 1- 
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MfcYfc is zero modulo F 0 9 , . . . , Yg. This is equivalent to MqYq H + M' k Y k = 0 

(without modulo). We prove that this latter equality implies that (Mq , . . . , M' k ) 
is a combination of ( A j ) . We do this through induction on k. If k = 1 then, if Mq 
or M[ is zero they are both zero, otherwise Mq = M"Y\ and M[ = —M"Yq and 
(Mq, M[) = M"(Yi, —Yq). Assume the property holds up to k ■ 1 . Then, if M' k 
is zero, we fall on the property at k — 1 , otherwise all Mi, i = 0, . . . , k — 1 must 
contain Y k and denoting by M" the quotient, we have M' k = — (MqYq + • • • + 
M'^Yk-x), from which we get (Mq, ...,M' k ) = M£r 0 , k _+ ••• + M£_i_A;-i,fc- 
Coming back to the main proof, we get(M 0 , . . . , M k ) = M 0 ^ 0 + • • • + M k i> k + 
(Mq, . . . , M ' k ) where the last n-tuple decomposes over (T^j’s. □ 

Since A’s and Pfs are homogeneous in the variables Yq, , Y k _ i, the (1, 2)- 
degree d parts of the elements of 'T m (Yo , . . . , Y k ~ i) themselves decompose over 
these generators. Replacing variables bo, ... , Y k - 1 respectively by Pq. ■ ■ ■ ■ A- l, 
trivial syzygies in degree d of A) ■ • ■ 5 A-i write 

T ro (P 0 , . . . , A- 1)3 = CRm)d-2{ r ij}o<i<j<k-l + (Km)d-2( q -l){®ihm*~k» 

where we again denote by Py ’s and A, ! s their specializations at (A) ■ ■ ■ , A-i)- 
Unfortunately, decomposition over the above generators is not unique. Therefore, 
the dimension of T m (A, • • • , A-l)a can not be directly read from the above 
formula. However, we see that this dimension follows a simple induction. 

Let dr,i,k denote the subspace spanned by F kk , i = (),... ,k — l (k > 1) and 
dd>d,k denote the subspace spanned by Then, for k > 1, 

r m (A, ...,A)d = T m (P 0 , . . . , A-i)5 + (dr d , k + d$ d , k ). (5) 

For k = 1, we simply have , T m (Po) d = <9 A- For all k > 1, the increase of 
dimension when adding dr d k + d c P,t tk is the dimension of the quotient space 
(dr d ,k + d$d,k) m od T ro (P 0 , • • • , A-i A Now we use the following property. 
Property 11. For d up to the degree of regularity of Pq, ... , P k , 

r ro (A, • • • , Pk) h d n {(*, . . . , *,0)} d = r m (A, • • • , A-x)d- 

(Hence, the degree of regularity of A. A is upper-bounded by the degree of 

regularity of A> • • • > A-i because a cancellation of Pq, ... , A-i which is non- 
trivial in the sense of Po , . . . , A-i is non-trivial in the sense of Pq, . . . , A-) 

Proof. First recall that P/s have degree 2 and <A’s have degree 2(q — 1) > 2. 
As a consequence T m (A, ■ ■ ■ ■ A-i) has no element in degree 0 or 1. 

For any 1 < a < q and d > 0, define the set 

T-°(h A)i = {(«„,... , Mk-i,0) | J 

Observe that for a = 1, this set is exactly T m (A, • • • , A)J 0 {(*,...,*, 0)}^. 
We show that for d up to the degree of regularity of Pq, .... P k , and a < q — 1, 

nr (A, . . . , A)5 c T m (p 0 , • • • , A-i)i + p fc n ( “ +1) (A, . . . , A)5_ 2 - (6) 
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Indeed, let (Mo, . . . , Mfc_i,0) belong to the left handside. By definition, 
there exists Mg such that (M 0 , . . . , M fe _i, MgPg) is in T m (P 0 , . . . , P k ) d - 
Refer to the decomposition 0 of this set. Hence there exists an element 
T k of '7 _ m (Po, . . . , P k -i) d (with its last coordinate to zero) and coefficients 
Ho, . . . yiiu-itVk such that (M 0 , . . . , M k _ 1 , MgPg) = T k + Ho^ok + + 

/bc-iA-i./c + v k (f> k . Coordinate-wise identity writes 

f (Mo, . . . ,M fe _i,0) = T k + P k (/j, o, . . . , /Xfc-i,0), 

\ —MgPg = hqPq + ■ * ■ + Hk-iPk-i ~ v kP k ~ X - 

The second equation implies that (ho, ■ ■ ■ , Hk-i, Mg Pg~ x — v k Pg~ 2 ) lies in 
T,„ ( P 0 , ■ ■ ■ , Pk)d - 21 which shows 0. Now by using (0, from 1 to a < q — 1, 

T^(P 0 , ■ • • ,Pk) h d C T ro (P 0 , ■ • • , Pk- i) h d + P^r< a+1 \P 0 , . . . , P k ) h d _ 2a . 

The second summand is zero as soon as d — 2a < 1. As a increases to q — 1, one 
either encounters this case or ends up with Pg~ 1 'T^g(Po , . . . , Pk) d _ 2 ( q _iy But 
again any (Mo, . . . , M k _ i , 0) of the set in factor writes T k + P k (n o, . . . , Hk- 1 , 0). 
In the product set, the second summand vanishes by Pg = 0. □ 

By Property [HI two n-tuples of 'T m (Po, ■ ■ ■ , P k ) d are equivalent modulo 
'P'mppQi ■ ■ ■ , P k ~i)d if and only if they have the same ( k + l)-th coordinate. 
Hence, the marginal dimension of the second summand in Qis the dimension of 
^m) h d _ 2 {Pi} 0 <i<k-x + (^ ro )t 2(?=4) pr 1 . Let T k ,d = dim T m (P 0 , . . . ,P fe - i) h d 
and let dffP d be the dimension of the above. So far, r k+ i id = T k , d + d . 
Furthermore, iterating this process, we can show (c/ full version for a proof) 

Lemma 1. For any 1 < a < q — 1, let Sg +ld denote the dimension of 
{'R-m) d _ 2 {Pi}o<i<k-i + {^-m) d - 2a P k ■ For d up to the degree of regularity of 
Po, . . . , P k , this dimension follows the induction 

s k+i,d = fcdirn(72. m )J_ 2 - r k+ M _ 2 + Sg~l d _ 2 , 

for any a >2, and 5 k+l d = (k + 1) dim(lZ m ) d _ 2 - r k+ i, d - 2 . 

Using this lemma we finally find the induction defining T k , d for any k <n and d 
up to the degree of regularity of Po, ■ ■ ■ , Pn-i, 

T k +i,d = T k ,d + EJ= 1 {kdim(Hm)d- 2* - r k+ i,d- 2i ) + dxm(n m )^_^ q _ 1} . (7) 

5.4 Numerical Computation of the Upper Bounds 

We numerically computed the above induction formulas using a dynamic pro- 
gramming approach. A simple complexity analysis can be found in the full ver- 
sion. Figure □ below represents the upper bounds on the degree of regularity of 
HFE systems for many parameters q, n. The corresponding value of D was set 
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MQ Bound < 

GJS Bound (with q D = ulog 2 (g)) 

New HFE bound (with q D = nlog 2 (g)) 



Fig. 1 . Overview of the three upper bounds for many HFE parameters: MQ, GJS, HFE 
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Fig. 2. Comparing the two upper bounds specific to HFE: GJS, HFE bounds 


to satisfy q D = n log 2 q, that is, the degree of the internal HFE polynomial is 
indexed on the block size. This choice lets schemes operating on the same block 
size have comparable complexity of the secret operations (roughly (log 2 <?) 3 n 5 
using the algorithms suggested in [1 fijh One can note that the surface rendering 
the GJS bound initially coincides with the MQ surface while our bound ensures 
a much smaller degree of regularity. Figure |2| below renders (c/ full version for 
colorful figures) the improvement of the HFE bound over the GJS bound as q 
grows. One can perceive the significance of this improvement from the curves 
being massively pulled down. This is especially true for small blocksizes where 
the GJS bound is lower bounded by q while the corresponding value of the HFE 
bound is roughly independent of the value of q. 


6 Application to the Security of HFE 

The previous discussion has led to the ability to compute an upper bound on 
the degree of regularity of HFE systems for any parameters. In this section, we 
describe applications of this parameter to the security of HFE. 
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6.1 Computing the Degree of Regularity in Practice 

We consider a simple algorithm which given the n quadratic polynomials and a 
prescribed degree d > 2 computes a generator basis of combinations in degree d 
of these polynomials (given by monomial multiples of each polynomial) and puts 
them in row echelon form (any ordering of terms can be used) . It is then trivial 
to obtain the dimension spanned by these combinations. As a consequence, using 
this algorithm with d incrementing from 2, one can compare the experimental 
dimension of combinations with the one predicted until the degree of regularity is 
found. As soon as these dimensions disagree, current d is the degree of regularity 
of the system. Hence, this simple procedure allows to compute the degree of 
regularity is practice. Denote by M q (n,d) the number of monomials of degree 
d in n variables with exponents modulo q. In degree d, the canonical generator 
basis has size M q (n,d — 2 )n. Each such vector has at most n{n + l)/2 non- 
zero coefficients. Computing a row echelon form of these vectors therefore has 
time complexity about M q (n , d— 2 ) 2 n 4 and space complexity at most S q (n, d) = 
M q (n,d — 2 ) 2 n 2 . When making d range from 2 to some prescribed d rnax , the 
complexity of the iteration is dominated by the complexity at d = d rnax because 
M q (n, d— 2) grows exponentially with d. In particular, for HFE(g, n. D) systems, 
the complexity of computing the degree of regularity is upper bounded by the 
latter complexity at d set to the HFE bound S(q,n,D) computed previously. 
Since the degree of regularity of random MQ systems is expected very closely 
tied to the MQ bound (which is much higher for practical parameters), the 
degree of regularity provides a way to algorithmically distinguish HFE systems 
from random MQ instances. This distinguisher was already addressed in [419115] 
and we refer to it as the algebraic distinguisher. Our result makes it possible 
to compute its complexity for any parameters. Comparing this complexity with 
the complexity of the differential distinguisher presented in 0 , it turns out the 
latter is almost always far more efficient (c/ full version of the paper). 


6.2 Estimated Upper Bound for Solving HFE Systems 

A more critical application uses the heuristic that the degree of regularity orig- 
inates from the saturation of a subspace of combinations, yielding many degree 
falls at once. These degree falls in turn contribute to further saturations and 
further degree falls in smaller degree. When computing a Grobner basis with 
a graded ordering, this initiates a process of new head terms appearing with 
decreasing degree and precipitates the end of the computation. Due to these 
heuristics, it is commonly taken that the degree of regularity estimates the max- 
imal degree needed in the computation of a Grobner basis for a graded ordering. 
In our case, this heuristic is supported by our upper bound on the degree of 
regularity of HFE closely matching the experimental maximal degree given for 
<7 = 2 in P2J • As to the complexity of the Grobner basis computation, it is also 
commonly estimated as the cost of row echelon form on the combinations ma- 
trix at the maximal degree. Although, some algorithms offer improvements to 
reduce the combinations matrix by removing trivial syzygies [11116] , we keep on 
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the simple analysis of the precedent paragragh. When a more detailed analysis 
is available for a particular algorithm our upper bound on the degree of regu- 
larity can be readily plugged into it to obtain tighter complexity upper bounds. 
Figure 01 below represents the obtained upper bound for many HFE parameters, 
where the degree of the internal parameter is again indexed on the block size by 
q D = n log 2 q. Within the limits of the above heuristics, parameters that do not 
emerge from the 80-bits security level should not be considered secure. 



7 Conclusion 

In this paper, we provide a rigourous analysis of the degree of regularity of 
HFE systems. Under commonly used heuristics, this analysis allows to derive 
estimates for the complexity of algebraic attacks on the public key. In particular, 
using these estimates, hardly any HFE cryptosystem with block size 80 bits can 
achieve 80 bits security. HFE over GF( 2) with blocksize 128 does not achieve 80 
bits security. On the other hand, our work can not be used to infer the security 
of HFE parameters, because our estimates are only complexity upper bounds 
and focus on a particular type of attack. Finally, we point out that the first 
part of our work - shifting the analysis to the internal polynomial - can be used 
for any cryptosystem following a similar construction to HFE. In particular, it 
potentially offers a useful framework to the analysis of variations of HFE. 

References 

1. Bardet, M.: Etude des systemes algebriques surdetermines. Applications aux codes 
correcteurs et ala cryptographie. PhD thesis, UniversiteParis 6 (2004) 

2. Bardet, M., Faugere, J.-C., Salvy, B.: On the Complexity of Grobner Basis Com- 
putation of Semi-Regular Overdetermined Algebraic Equations. In: ICPSS Inter- 
national Conference on Polynomial System Solving (2004) 

3. Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklass- 
nringes nach einem nulldimensionalen Polynomideal. PhD thesis, Innsbruck (1965) 


576 


V. Dubois and N. Gama 


4. Courtois, N.: The Security of Hidden Field Equations (HFE). In: Naccache, D. 
(ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 266-281. Springer, Heidelberg (2001) 

5. Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient Algorithms for Solving 
Overdelined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) 
EUROCRYPT 2000. LNCS, vol. 1807, pp. 392-407. Springer, Heidelberg (2000) 

6. Diem, C.: The xl-algorithm and a conjecture from commutative algebra. In: Lee, 
P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 323-337. Springer, Heidelberg 
(2004) 

7. Ding, J., Schmidt, D., Werner, F.: Algebraic attack on hfe revisited. In: Wu, T.-C., 
Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 215-227. 
Springer, Heidelberg (2008) 

8. Dubois, V., Granboulan, L., Stern, J.: An Efficient Provable Distinguisher for HFE. 
In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, 
vol. 4052, pp. 156-167. Springer, Heidelberg (2006) 

9. Faugere, J.-C., Joux, A.: Algebraic Cryptanalysis of Hidden Field Equation (HFE) 
Cryptosystems Using Grobner Bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, 
vol. 2729, pp. 44-60. Springer, Heidelberg (2003) 

10. Faugere, J.-C.: A New Efficient Algorithm for Computing Grobner Bases (F4). 
Journal of Pure and Applied Algebra 139, 61-88 (1999) 

11. Faugere, J.-C.: A New Efficient Algorithm for Computing Grobner Bases without 
Reductions to Zero F5. In: ISSAC, pp. 75-83 (2002) 

12. Faugere, J.-C.: Algebraic Cryptanalysis of HFE using Grobner Bases. Technical 
Report 4738, INRIA (2003) 

13. Kunz-Jacques, S.: Preuves de securite et problemes difficiles en cryptologie: etude 
de cas. PhD thesis, Universite Paris 7 (2007) 

14. Lazard, D.: Grobner-Bases, Gaussian Elimination and Resolution of Systems of 
Algebraic Equations. In: van Hulzen, J.A. (ed.) ISSAC 1983 and EUROCAL 1983. 
LNCS, vol. 162, pp. 146-156. Springer, Heidelberg (1983) 

15. Granboulan, L., Joux, A., Stern, J.: Inverting HFE Is Quasipolynomial. In: Dwork, 
C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 345-356. Springer, Heidelberg (2006) 

16. Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials 
(IP): Two New Families of Asymmetric Algorithms. In: Maurer, U.M. (ed.) EU- 
ROCRYPT 1996. LNCS, vol. 1070, pp. 33-48. Springer, Heidelberg (1996) 

17. Steel, A.: Allan Steel’s Groebner Basis Timings Page (2004), 
magma . maths . usyd . edu . au/users/ allan/ gb 

18. University of Sydney Computational Algebra Group. The MAGMA Computational 
Algebra System 

19. Yang, B.-Y., Chen, J.-M.: All in the xl family: Theory and practice. In: Park, 
C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 67-86. Springer, Heidelberg 
(2005) 


Structured Encryption and 
Controlled Disclosure 


Melissa Chase and Seny Kamara 

Microsoft Research 
{melissac , senyk}@microsof t . com 


Abstract. We consider the problem of encrypting structured data (e.g., 
a web graph or a social network) in such a way that it can be efficiently 
and privately queried. For this purpose, we introduce the notion of struc- 
tured encryption which generalizes previous work on symmetric search- 
able encryption (SSE) to the setting of arbitrarily-structured data. 

We present a model for structured encryption, a formal security defini- 
tion and several efficient constructions. We present schemes for performing 
queries on two simple types of structured data, specifically lookup queries 
on matrix-structured data, and search queries on labeled data. We then 
show how these can be used to construct efficient schemes for encrypting 
graph data while allowing for efficient neighbor and adjacency queries. 

Finally, we consider data that exhibits a more complex structure such 
as labeled graph data (e.g., web graphs). We show how to encrypt this 
type of data in order to perform focused subgraph queries, which are 
used in several web search algorithms. Our construction is based on our 
labeled data and basic graph encryption schemes and provides insight 
into how several simpler algorithms can be combined to generate an 
efficient scheme for more complex queries. 


1 Introduction 

The most common use of encryption is to provide confidentiality by hiding all 
useful information about the plaintext. Encryption, however, often renders data 
useless in the sense that one loses the ability to operate on it. In certain settings 
this is undesirable and one would prefer encryption schemes that allow for some 
form of computation over encrypted data. 

One example is in the context of remote data storage, or so-called “cloud stor- 
age” , where a data owner wishes to store structured data (e.g., a collection of web 
pages) on an untrusted server and only retain a constant amount of information 
locally. To guarantee confidentiality, the owner could encrypt the data before send- 
ing it to the server but this approach is unsatisfactory because the data loses its 
structure and, in turn, the owner loses the ability to query it efficiently. 

To address this problem we introduce the notion of structured encryption. A 
structured encryption scheme encrypts structured data in such a way that it can 
be queried through the use of a query-specific token that can only be generated 
with knowledge of the secret key. In addition, the query process reveals no useful 
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information about either the query or the data. An important consideration in 
this context is the efficiency of the query operation on the server side. In fact, in 
the context of cloud storage, where one often works with massive datasets, even 
linear time operations can be infeasible. 

Roughly speaking, we view structured data as a combination of a data struc- 
ture 6 and a sequence of data items m = (mi , . . . , m„) such that 6 encodes 
the data’s structure and m represents the actual data. For example, in the case 
of graph-structured data such as a social network, <5 is a graph with n nodes 
and the ith element of m is the data associated with node i. To query the data 
efficiently, one queries S to recover a set of pointers I C [1, n] and then retrieves 
the items in m indexed by I. 

At a high level, a structured encryption scheme takes as input structured data 
(5, m) and outputs an encrypted data structure 7 and a sequence of ciphertexts 
c = (ci, . . . , c n ). Using the private key, a token r can be constructed for any 
query such that pointers to the encryptions of ( rrii)i e i can be recovered from 7 
and r. Furthermore, given the private key, one can decrypt any ciphertext c*. 

A certain class of symmetric searchable encryption (SSE) schemes jl 811 1 1f 5] 
can be viewed as structured encryption schemes for the special purpose of private 
keyword search over encrypted document collections. Of course, the functionality 
provided by structured encryption can be achieved using general techniques like 
oblivious RAMs [2D] , secure two-party computation (DD| and fully-homomorphic 
encryption (FHE) [FZj. In our context, however, we are interested in solutions 
that are non-interactive and, at worst, linear in the number of data items as 
opposed to linear in the length of the data. All the schemes described in this 
work are non-interactive and optimal in that the query time is linear in the 
number of data items to be returned. 

Informally, a basic notion of security for structured encryption guarantees 
that (1) an encrypted data structure 7 and a sequence of ciphertexts c reveal no 
partial information about the data m; and that (2) given, in addition, a sequence 
of tokens (77, ... , r t ) for queries q = (fft . ,q t ) no information is leaked about 
either m or q beyond what can be inferred from some limited leakage which is 
a function of 5, m and q. A stronger notion, introduced in [HI, guarantees that 
(2) holds even when the queries are generated adaptively. 

All known constructions that can be considered efficient structured encryp- 
tion schemes (i.e., the index-based SSE schemes [1811 11153 ) reveal some limited 
information about the data items and queries. In particular, for any query they 
reveal at least (1) the access pattern, which consists of the pointers /; and (2) 
the query pattern, which reveals whether two tokens were for the same querjiJ. 


1.1 Applications of Structured Encryption 

Private queries on encrypted data. The most immediate application of structured 
encryption is for performing private queries on encrypted data. In this setting, 

1 While the public-key encryption scheme with keyword search of Ej yields a SSE 
scheme that hides the access and query patterns, it is interactive. 
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a client encrypts its (structured) data (<5, m) resulting in an encrypted data 
structure 7 and a sequence of ciphertexts c. It then sends (7,0) to the server. 
Whenever the client wishes to query the data, it sends a token t to the server 
which the latter uses to recover pointers J to the appropriate ciphertexts. Using 
a structured encryption scheme in this manner enables the client to store its data 
remotely while simultaneously guaranteeing confidentiality against the server (in 
the sense outlined above) and efficient querying and retrieval. While this problem 
has received considerable attention for the special case of document collections 
i: l; ) )l 1 8l r )l;j. r )l 1 1 1 1 1 1 51:11 1 1 171 . as far as we know, it has never been considered for 
other kinds of data. 

Controlled disclosure for local algorithms. While the original motivation for 
structured encryption was to perform private queries on encrypted data (or 
more precisely, private searches on encrypted data), we introduce here a new 
application which we refer to as controlled disclosure. 

In this setting, the client not only wants to store its data remotely but expects 
the server (or some third party) to perform some computation over the data. 
In particular, while the client is willing to reveal the information necessary for 
the server to perform its task, the client does not want to reveal anything else. 
Consider, e.g., a client that stores a large-scale social network remotely and that, 
at some point, needs the server to analyze a small subset of the network. If the 
social network were encrypted using a classical encryption scheme the client 
would have to reveal the entire network, leaking extra information to the server. 
Ideally, what we want in this setting is a mechanism that allows the client to 
encrypt the data and later disclose the “pieces” of it that are necessary for the 
server to perform its task. 

Another application of controlled disclosure is to the emerging area of (cloud- 
based) data brokerage services, such as Microsoft’s Dallas j!4| and Infochimps 
m- Here, the cloud provider acts as a broker between a data provider that 
wishes to sell access to a massive dataset and a data consumer that needs access 
to the data. The data is stored “in the cloud” and the cloud operator manages 
the consumer’s access to the provider’s data. Using controlled disclosure, the 
provider could encrypt its data before storing it in the cloud and release tokens 
to the consumer as appropriate. Such an approach would have several advantages 
including (1) enabling the producer to get an accurate measure of the consumer’s 
use of the data; and (2) ensuring the producer that the consumer can only access 
the authorized segments of data, even if the consumer and the cloud operator 
collude. 

Clearly, if the algorithm executed by the server (or the data consumer) is 
“global”, in the sense that it needs to read all the data, then controlled disclo- 
sure provides no security. On the other hand, if the algorithm is “local” , in that it 
only needs to read part of the data, then controlled disclosure preserves the con- 
fidentiality of the remaining data. There are numerous algorithms that exhibit 
this kind of local behavior and they are used extensively in practice to solve a 
variety of problems. For example, many optimization problems like the traveling 
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salesman problem or vertex cover are handled in practice using local search al- 
gorithms (e.g., hill climbing, genetic algorithms or simulated annealing). Several 
link-analysis algorithms for web search such as Kleinberg’s seminal HITS algo- 
rithm (and the related SALSA algorithm) are local. Finally, the recent 
work of Brautbar and Kearns on “jump and crawl” algorithms m motivates 
and proposes several local algorithms for social network analysis, including for 
finding vertices with high-degree and high clustering coefficient. 

Controlled disclosure can be viewed as a compromise between full security on 
the one hand and efficiency and functionality on the other. In settings where 
computation needs to be performed on massive datasets and “fully secure” solu- 
tions like multi-party computation |3fill9ll3| and fully-homomorphic encryption 
PH are prohibitively expensive, controlled disclosure provides a practical solu- 
tion without completely compromising security. 

1.2 Our Results 

Performing private queries on encrypted data is an important goal that is well 
motivated by the recent trend towards cloud storage. Giving clients the means 
to encrypt their data without losing the ability to efficiently query and retrieve 
it provides obvious benefits to the client but also frees the cloud provider from 
many legal exposures (see |2l21l32j for discussion of these issues). It additionally 
provides a mechanism by which clients from regulated industries can make use 
of cloud storage (e.g., to store medical records or financial documents) while 
remaining compliant. 

While the recent work on searchable encryption constitutes an important step 
towards this goal, we note that a noticeable fraction of the data generated to- 
day is not text data. Indeed, many large-scale datasets (e.g., image collections, 
social network data, maps or location information) exhibit a different and some- 
times more complex structure that cannot be handled properly using searchable 
encryption. To address this, we: 

1. introduce the notion of structured encryption, which generalizes index-based 
symmetric searchable encryption 1 1 811 I II 5] to arbitrarily-structured data 
and propose a novel application of structured encryption (and therefore of 
SSE) to the problem of controlled disclosure. 

2. extend the adaptive security definition of ESI to the setting of structured 
encryption, 

3. give constructions of adaptively-secure structured encryption schemes for a 
variety of structures and queries including: 

(a) (lookup queries on matrix-structured data) given a matrix and pair ( i , j ), 
return the value stored at row i and column j. This captures, e.g., lookup 
queries on digital images or retrieval of maps. 

(b) (search queries on labeled data) given a set of labeled items and keyword 
w, return the items labeled with w. This captures the familiar setting 
of searchable encryption. We briefly note that our construction exhibits 
a combination of useful properties that, as far as we know, no previous 
scheme achieves. 
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(c) (neighbor queries on graph-structured data) given a graph and a node i, 
return all the nodes adjacent to i. This captures, e.g., retrieving a user’s 
“friend list” in a social network. 

(d) (adjacency queries on graph-structured data) given a graph and two 
nodes i and j, return 1 if they are adjacent and return 0 otherwise. 
This captures, e.g., testing whether two users are “friends” in a social 
network. 

While the previous constructions are useful in their own right, an important 
goal with respect to structured encryption is to construct schemes that are able 
to encrypt complex structures and to handle expressive queries that take full 
advantage of the complexity of the data’s structure. As an example, consider 
the case of web graphs (i.e., subgraphs of the Web) which are composed of pages 
with both text and hyperlinks. Encrypting the pages of a web graph using a 
searchable encryption scheme will only enable keyword search over the encrypted 
pages. Web graphs, however, exhibit a much richer structure and we typically 
want to perform more complex queries on them. Towards this goal, our final 
contribution is to show how to encrypt web graphs and, more generally, what 
we refer to as labeled graph data. In particular, we: 

4. give a structured encryption scheme for labeled graphs that handles focused 
subgraph queries. Roughly speaking, for a given search keywork, a focused 
subgraph query on a web graph returns a subgraph that encodes enough 
information about it to yield a good ranking of the pages for that search. 
These queries are an essential part of Kleinberg’s seminal HITS algorithm 
m (and its many successors). 

Our construction uses as building blocks some of the schemes mentioned 
above. We stress, however, that it is not sufficient to use the schemes “as-is” 
and we show a novel way of combining structured encryption schemes for 
simple structures in order to build schemes that handle more complex data 
and more expressive queries. The approach is general and can be adapted to 
other complex data types. 

2 Related Work 

We already mentioned work on oblivious RAMs, secure two-party computation 
and FHE so we restrict the following discussion to searchable and functional 
encryption. 

Searchable encryption. As mentioned above, structured encryption is a gen- 
eralization of the notion of a secure index first proposed by Goh [TB| for the 
purpose of building symmetric searchable encryption schemes (Tlj . In [T%| . Goh 
gives a formal security definition for secure indexes and a construction based 
on Bloom filters. This was followed by m and ca. the latter of which gave 
stronger security definitions and more efficient constructions. Our security def- 
initions for structured encryption in section 0] generalize the ones in jT3 to 
arbitrarily-structured data. Searchable encryption has also been considered in 
the public-key setting KKSI1II7W . 
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Functional encryption. Functional encryption 121 is a recent paradigm that 
generalizes work on a variety of problems including identity-based encryption 
jSQIfij , attribute-based encryption |28122l4| , and predicate encryption |25ld()l . 

Roughly speaking, a structured encryption scheme can be viewed as a func- 
tional encryption scheme for which a token can only be used on a single cipher- 
text. We provide a more detailed comparison between the two approaches in the 
full version D2j. 

3 Notation and Preliminaries 

Notation. Given a sequence v of n elements, we refer to its i th element as v*. If 
/ is a function with domain U and S C IA, then f[S\ refers to the image of S 
under /. The set of all Ai x A 2 matrices over a set S is denoted S Xl xX ' 2 . Q n and 
Q n are the sets of all undirected and directed graphs of size n, respectively. An 
undirected graph G = (V, E) consists of a set of vertices V and a set of edges 
E = {(i. j)} where i , j G V. We denote by deg(i) the degree of node i. If G is 
directed, then the pairs (i,j) are ordered and we refer to i as the tail and to j as 
the head of the edge. In addition, we denote i’s in and out degrees by deg - (i) 
and deg + (i), respectively. 

Data types. An abstract data type is a collection of objects together with a set of 
operations defined on those objects. For simplicity and visual clarity we define 
data types as having a single operation but this can be extended to model data 
types with multiple operations in the natural way. Formally, a data type & is 
defined by a universe U = {Z4}fce n and an operation Query : U x Q — > 1Z, 
where Q = {Qk}k&j is the operation’s query space and 1Z = {7£fc}fceN is its 
response space. The universe, query and response spaces are ensembles of finite 
sets indexed by the security parameter k. In this work, we assume the universe 
is a totally ordered set, and that the response space includes a special element 
T denoting failure. 

4 Definitions 

In this section we formalize structured encryption schemes and present our main 
security definition. Before doing so, however, we make explicit two properties of 
structured encryption which we will make use of throughout this work. 

Induced permutation. Unlike previous work on searchable encryption we choose 
to include the data items (i.e., the documents in the case of searchable encryp- 
tion) and their encryptions in our definitions. We prefer this approach because 
explicitly capturing each component of the system can bring to light subtle in- 
teractions between them. As an example, consider the correlation between the 
location of the data items in the sequence m and the locations of their corre- 
sponding ciphertexts in c. More precisely, let tt be the permutation over [n] such 
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that for all i £ [n], m* := Dec^c^)). We refer to 7 r as the permutation induced, 
by m and c. 

The reason most SSE constructions (with the exception of oblvious RAMs) 
leak the access pattern is because 7r is the identity function. This means that in 
order to (efficiently) retrieve items {m,; : i £ 1} the server must know I. Our 
constructions hide part of the access pattern essentially because they break this 
correlation by inducing a (pseudo-) random permutation between m and c. 

Associativity. We also make explicit a property possessed by some constructions 
(e.g., the non-adaptively secure SSE construction of [Ej) that we refer to as 
associativity. Intuitively, a scheme is associative if one can associate an item Vi 
with data item nii in such a way that a query operation returns, in addition to 
the pointers J, the strings ( W)*ei • We capture this by re-defining the message 
space of our encryption algorithms to take, in addition to a data structure 6, 
a sequence M = ((mi,ui), . . . , (m n , v n )) of pairs that consist of a private data 
item mj and a semi-private0 item Vi . We sometimes refer to the sequences 
(mi, . . . , m n ) and («i, . . . , v n ) as m and v, respectively. 

Associativity is useful for several reasons. The most direct application is to 
provide the client the ability to associate some meta-data with the ciphertexts 
that may be useful to the server (e.g., file name or size). In situations where the 
client wishes to grant the server access to the data, the semi-private items could 
even be decryption keys for the associated ciphertexts. As we will see in Sectional 
however, associativity can also be used to “chain” structured encryption schemes 
together in order to construct complex schemes from for simpler ones. 

Definition 1 (Private- key structured encryption). Let 7 be an abstract 
data type supporting operation Query : U X Q — » 1Z where TZ = [n] for n £ N. 
An associative private-key structured encryption scheme for 7 is a tuple of five 
polynomial-time algorithms II = (Gen, Enc, Token, Query e , Dec) such that: 

K <— Gen(l fc ): is a probabilistic algorithm that takes as input a security 
parameter k and outputs a private key K. 

(7, c) <— Enc(Af, S, M): is a probabilistic algorithm that takes as input a pri- 
vate key K, a data structure 6 of type 17 , and a sequences of private and 
semi-private data M. It outputs an encrypted data structure 7 and a sequence 
of ciphertexts c. We sometimes write this as (7, c) <— Encic(<5, M). 
t f— Token(.£f, q): is a (possibly probabilistic) algorithm that takes as input 
a private key K and a query q £ Q and outputs a token r. We sometimes 
write this as t <— Token^g). 

(J, v/) := Query e (7, r): is a deterministic algorithm that takes as input an 
encrypted data structure 7 and a token t. It outputs a set of pointers J C [n] 
and a sequence of semi-private data vj = where I = 7r _1 [J]. 

mj := Dec (K,Cj): is a deterministic algorithm that takes as input a secret 
key K and a ciphertext Cj and outputs a message mj. 

2 We refer to the items (vi, . . . , v n ) as semi-private since, unlike (mi, . . . , m„), they 
can be recovered given an appropriate token. 
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We say that II is correct if for all k £ N, for all K output by Gen(l fc ), for all 
6 £ Uk, for all M, for all (7, c) output by Enc (K, 6, M), for all q £ Qk, for all t 
output by Token {K,q), for output by Query e (7 , t), 

J = 7r [Query(<J, g)] Decjf (cj) = rrij for all j £ [n], 
where n is the permutation induced by m and c. 

The intuitive security guarantee we seek is that (1) given an encrypted data 
structure 7 and a sequence of ciphertexts c, no adversary can learn any partial 
information about m; and that (2) given, in addition, a sequence of tokens 
t = (n , . . . , Tt) for an adaptively generated sequence of queries q = (q\ , . . . ,q t ), 
no adversary can learn any partial information about either m or q beyond what 
is revealed by the semi-private data (v/-, , . . . , v/J. 

This exact intuition can be difficult to achieve and in some settings is un- 
necessarily strong. Consider, e.g., the fact that the number of data items n is 
immediately revealed to the adversary since it receives the ciphertexts c. Another 
example is in the setting of SSE where, as discussed earlier, all known efficient 
and non-interactive schemes jlSIl 11151 reveal the access and query patterns. We 
would therefore like to weaken the definition appropriately by allowing some lim- 
ited information about the messages and the queries to be revealed. On the other 
hand, it is not clear that such leakage is always necessary in order to achieve 
efficiency (e.g., the number of data items can be easily hidden by padding) so 
we prefer not to “hardcode” this leakage in our definition. To formalize this we 
parameterize the definition with two leakage functions L\ and Li that capture 
precisely what is being leaked by the ciphertext and the tokens. 

We now present our security definition for adaptive adversaries which is a 
generalization of the definition of |XB|- Intuitively, we require that the view of an 
adversary (Le., the encrypted data structure, the sequence of ciphertexts, and the 
sequence of tokens) generated from any adaptive query strategy be simulatable 
given the leakage information and the semi-private data. 

Definition 2 (CQA2-security). Let E = (Gen, Enc, Token, Query e , Dec) be an 

associative private-key structured encryption scheme for data of type 17 support- 
ing operation Query : U x Q — > [n], for some neN, and consider the following 
probabilistic experiments where A is an adversary, S is a simulator and L\ and 
Li are (stateful) leakage algorithms: 

Real^^fc) ; the challenger begins by running Gen(l fe ) to generate a key K. A 
outputs a pair (5, M) and receives (7,0) «— Encx((5, M) from the challenger. 
The adversary makes a polynomial number of adaptive queries and, for each 
query q, receives a token r <— Tokens (g) from the challenger. Finally, A 
returns a bit b that is output by the experiment. 

Ideals,,^ (&) : A outputs a tuple (6, M). Given L\(5, M), S generates and 
sends a pair (7, c) to A. The adversary makes a polynomial number of adap- 
tive queries and for each query q the simulator is given (Li(6, q), v/), where 
I := Query(<5, q). The simulator returns a token r. Finally, A returns a bit b 
that is output by the experiment. 
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We say that E is (Ci, Cf) -secure against adaptive chosen-query attacks if for all 
ppt adversaries A, there exists a ppt simulator S such that 

|Pr [Realj^fc) = 1] - Pr [ Ideal^^s (/c) = 1]| < negl(fc). 

As previously discussed, the £2 leakage of our constructions mainly consists of 
the query and intersection patterns. Intuitively, the query pattern reveals when 
a query is repeated while the intersection pattern reveals when the same items are 
accessed. The intersection pattern reveals when the same items are accessed but 
not which items are accessed (i.e., their locations in m). The latter is hidden in our 
definition below by applying a random permutation to the item’s locations in m. 

Definition 3 (Query and intersection patterns). Let q be a non-empty 
sequence of queries. For any q t e q, the query pattern QP (q t ) is a binary vector 
of length t with a 1 at location i if qt = qt and a 0 otherwise. The intersection 
pattern ip (q t ) is a sequence of length t with f[I] at location t, where f is a fixed 
random permutation over [n] and I := Query (5, q t ). 

5 Structured Encryption for Basic Structures 

In this Section we present constructions of structured encryption schemes for 
data with simple structures. In Section E| we will use some of these as building 
blocks to design schemes for data that exhibits a more complex structure. We 
stress, however, that the constructions presented here are of independent interest. 

5.1 Lookup Queries on Matrices 

We describe a structured encryption scheme for matrix-structured data which 
consists of an Ai x A 2 matrix M of pointers into a sequence of n data items 
m. Here, the matrix type has universe U = [n] AlxA2 and supports the lookup 
operation Lkp : [n] AlXAa x [Ai] x [A 2 ] — > [n] that takes as input a matrix M and 
a pair (a, (3) and returns M\a,(3\. 

Matrix-structured data is ubiquitous and includes any kind of two-dimensional 
data. Consider, e.g., the case of digital images which can be viewed as a pair 
(M, m), where M is a matrix such that the cell at location (a, (i) points to some 
mt that encodes the color of the pixel at location (a, (3) in the image. 

Our construction, described in Figure Q below, is associative. At a high level, 
encryption is done by (1) padding the data items to be of the same length; (2) 
randomly permuting the location of the data items, (3) randomly permuting the lo- 
cation of the matrix cells using a PRP; and (4) encrypting the contents of 
the cells (and the semi-private data) using the output of a PRF. The purpose of 
the last two steps are immediate. Steps (1) and (2) are what allow us hide part 
of the access pattern by inducing a pseudo-random permutation between m and c. 

Lookup queries are handled by sending the permuted location of a cell (which 
can be recovered by the client since it stores the key to the PRP) and the output 


586 M. Chase and S. Kamara 


Let F : {0, l} fc x {0, 1}* — > {0, 1}* be a pseudo-random function, P : 
{0, l} fc X [Ai] X [Aa] — > [Ai] X [A2] be pseudo-random permutation and 77 = 
(Gen, Enc, Dec) be a private-key encryption scheme. Our encryption scheme 
Matrix = (Gen, Enc, Token, Lkp e , Dec) is defined as follows: 

— Gen(l fc ): generate two random fc-bit strings K \ , K 2 and a key K 3 «— 
77.Gen(l fc ). Set K := (Ki,K 2 ,K 3 ). 

— Enc(7L, M, M): construct a Ai X A2 matrix C as follows: 

1. parse M as m and v 

2. choose a pseudo-random permutation G : {0, l} k x [n] — * [n] 

3. sample a fc-bit string K 4 uniformly at random 

4. for all {a, /3) <E [Ai] x [Aa], 

store (G*: 4 (i), «*) © T 7 hr 1 (a, /3) where i := M[a,j3\, at location 
(«',/*') := Pk 2 (a, P) in C. 

If M[a,/3] = _L, then (Gk 4 (/),«<) above is replaced with a random 
string of appropriate length. 

Let m* be the sequence that results from padding the elements of m 
so that they are of the same length and permuting them according to 
Gk 4 ■ For 1 < j < n, let c, <— 77EncK 3 (m*). Output 7 ~ C and 
c = (ci, . . . ,c„). 

— Token (K, a, (3)\ output r := (s, a',/3'), where s := Fk 4 (a, 8) and 
(a',/3'):=PK 2 (a,p). 

— Lkp e (7, t): parse r as (s, a',/3'); compute and output (j, v) := s © 

C[a'4 n 

— Dec(7L, Cj)\ return rrij := II.DecK 3 (cj). 


Fig. 1. An associative structured encryption scheme for matrices 

of the PRF used to encrypt the contents (which can also be recovered since the 
client stores the key to the PRF). 

In Theorem Q below we show that the construction above is secure against 
adaptive chosen-query attacks. 

Theorem 1. If F, P and G are pseudo-random, and if II is CPA-secure then 
Matrix is (£ 1 , £ 2 ) -secure against adaptive chosen-query attacks, where £i(M, M) 
= (Ai,A 2 ,n,£) and £ 2 (M,a,/3) = (QP(a,/3),ip(a,/3)). 

The proof is omitted due to lack of space but appears in m 

5.2 Search Queries on Labeled Data 

We now present a structured encryption scheme for labeled data which consists 
of a “labeling” L and a sequence of data items m. Informally, a labeling just 
associates a set of keywords to each data item. More formally, the labeling data 
type has as universe U the set of all binary relations between [n] and W, where W 
is a set of keywords. In addition, it supports the operation Search : U X W — > 2^ 
that takes as input a labeling and a keyword w and returns the set L( w) = {i G 
[n]:(i,w)eL}. 
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Let F : {0, l} fc x W ->• {0, 1}* and P : {0, l} fe X W ->• {0, l} k be pseudo- 
random functions and 77 = (Gen, Enc, Dec) be a private-key encryption 
scheme. Our scheme Label = (Gen, Enc, Token, Search e , Dec) is defined as 
follows: 

- Gen(l fc ): sample two random fc-bit keys Ki , K 2 , and generate a key 
K 3 <- T7.Gen(l fc ). Set K := {K 1 ,K 2 ,K 3 ). 

- Enc(77, L,M): construct a dictionary T as follows: 

1. parse M as m and v. 

2. choose a pseudo-random permutation G : {0, l} fc x [n] — > [n] 

3. sample a fc-bit string K 4 uniformly at random 

4. for each w e W such that L(w) 0, let k w := Pk 2 (w) and 

store {{GK 4 ,(i),Vi)i e L(w')) ©Tbr^w) in T with search key n w . 
Use padding to ensure that the strings ((Gif 4 (i),n<) ie x,( tI ,)) are all 
of the same length. 

Let m* be the sequence that results from padding the elements of m 
so that they are of the same length and permuting them according to 
G Ki - For 1 < j < n, let c, 77.EncK 3 (ra*). Output 7 := T and 
C = (ci,.. . ,c„). 

- Token (77, w): output t := (F Kl (w), Pk 2 (w)). 

- Search e (7, r): parse t as (a, /3) and compute s := T(/3) ® a, where T(/3) 
refers to the value stored in T with search key /3. If fi is not in T then 
output J = 0 and Vj * JL Otherwise parse s as ((jijV^), (jt> v h)) 
and output J = (ji, . . .,j t ) and v/ = (w <x , . . . ,Vi t ). 

- Dec(77, Cj)\ output m,- := 17. Dec K 3 (c : j). 


Fig. 2. An associative structured encryption scheme for labeled data 


Our construction, described in Figure El is efficient, associative and adaptively 
secure and, as far as we know, is the first scheme to achieve all three properties. 
It is based on the first scheme of inn (SSE-l) which is efficient and associative 
but not adaptively securcQ. The second scheme of on the other hand, is 
adaptively secure but is inefficient and not associative. 

Our construction makes use of a dictionary which is a data structure that 
stores pairs (a, b) such that given a, the corresponding value b can be recovered 
efficiently. We refer to a as the “search key” and to b as the value. Dictionaries can 
be implemented in a variety of ways, including using search trees or hash tables. 
Intuitively, encryption proceeds as follows in our scheme. As in our previous 
construction, we pad and permute the data items with a PRP G. For each 
keyword w an array is constructed where each cell stores (1) a pointer j from 
the set L*(w) = Gk[L(w)\ and (2) the corresponding semi-private item Uj. The 
array is then padded up to a standard length, and encrypted using the output 
of a PRF and is stored in a dictionary using as search key the output of another 
PRF on the keyword. Search queries are handled by sending the search key 

3 While our scheme achieves the same efficiency as SSE-l with respect to search time, 

SSE-l is more efficient with respect to storage. 
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(which can be recovered by the client using the key to the second PRF) and the 
output of the PRF used to encrypt the array (which can be recovered using the 
key to the first PRF). The efficiency of our search operation depends on how 
the underlying dictionary is implemented but in this context any solution based 
on hash tables is appropriate and will give search time that is 0(|/|), which is 
optimal. 

Theorem 2. If F, P and G are pseudo-random and if II is CPA-secure then 
Label is C 2 )- secure against adaptive chosen-query attacks, where £i(L,M) 
= (\W\,n,£) andC 2 (L,w ) = (|I|, Qp(w),ip(tu)). 

The proof is omitted due to lack of space but appears in m 


5.3 Neighbor Queries on Graphs 

We now consider encryption of graph-structured data and, in particular, of 
graphs that support neighbor queries. Formally, the graph type we consider 
has universe U = Q n and supports the neighbor operation Neigh : Q n x [n] — * 2l"l 
that takes as input an undirected graph G with n nodes and a node i and returns 
the nodes adjacent to i. 

Our approach here is to encode the graph as a labeling and to apply a struc- 
tured encryption scheme for labeled data (such as the one described in the pre- 
vious Section). Given some graph-structured data ( G , m), where G = ( V , E), we 
construct the labeled data (T,m) such that L assigns to each data item m* a 
label set corresponding to the set of nodes adjacent to the fth node. Neighbor 
queries are handled by sending a token for “keyword” i £ V which allows the 
server to recover pointers to all the data items associated with i by the labeling. 
Our construction is described in detail in Figure E3 below. 


Let Label = (Gen, Enc, Token, Search,., Dec) be an associative struc- 
tured encryption scheme for labeled data. Our scheme Graph = 
(Gen, Enc, Token, Neigh e , Dec) is defined as follows: 

— Gen(l fc ): generate and output K <— Label. Gen(l fe ). 

— Enc{K, G, M): parse M as m and v and construct a labeling L that 
associates to each mj the set {j 6 [n] : ( i,j ) €. E}, where E is the set 
of edges in G. Output (7, c) 4— Label. Encjc(L, M). 

— Token(/f, i): compute and output r <— Label. Token /<(*). 

— Neigh e (7, t): output J := Label. Search(7, r). 

— Dec (K,Cj): output rrij := Label. Decx(cj)- 


Fig. 3. A structured encryption scheme for graphs supporting neighbor queries 


Theorem 3. If Label is (£ 1 , C 2 ) -secure against adaptive chosen-query attacks, 
then Graph is (£ 1 , C 2 )- secure against adaptive chosen-query attacks as well. 


Structured Encryption and Controlled Disclosure 589 


The theorem follows by construction. Note that if Label is instantiated with the 
scheme from Section E2I then C\ leaks the size of the graph, the number of data 
items and the length of the largest data item while £2 leaks the degree of the 
node and the query and intersection patterns. 

We now discuss a slight variation of this construction to handle incoming and 
outgoing neighbor queries on directed graphs. This will be useful as a building 
block for the construction we describe in Section El An incoming neighbor query 
is: given a node i return all the nodes that point to it; and an outgoing neighbor 
query is: given a node i return all the nodes that it points to. We stress that the 
changes we describe do not affect security in any way. 

Consider the scheme Graph + = (Gen, Enc, Token, Neigh e , Dec) defined exactly 
as Graph except that the Enc algorithm constructs the labeling in the following 
manner: instead of associating a data item m * to the set of nodes adjacent to 
node i, associate m,; to the nodes that are pointed to by node i. Similarly, a 
scheme Graph - can be constructed by associating to data item rnj the set of 
nodes that point to node i. 

5.4 Adjacency Queries on Graphs 

In this Section we give a simple scheme to encrypt graphs supporting adjacency 
queries based on any matrix encryption scheme. The approach is straightforward 
and, at a high level, consists of encrypting the graph’s adjacency matrix. Given 
data ( G , m), where G = (V, E) is a directed graph of size n and each data item m* 
is assigned to some edge in E, encryption proceeds as follows. We create a matrix 
M that holds at location (a, {3) a pointer to the data item associated with edge 
(a, /3) G V (or _L when there is no such edge). We then use the matrix encryption 
scheme on (M, m). Our construction is described in detail in Figure 0 


Let Matrix = (Gen, Enc, Token, Lkp e , Dec) be an associative en- 
cryption scheme for matrix-structured data. Our scheme Graph = 
(Gen, Enc, Token, Adj e , Dec) is defined as follows: 

— Gen(l fc ): generate and output K <— Matrix. Gen(l fc ). 

— Enc(AT, G, M): construct a matrix M as follows: if (a,/3) € V. then 
M[a, f3\ stores a pointer to the item assigned to edge (a, /3); if («, P) & V 
then M[aJ 3] = T . Output ( 7 , c) «— Matrix.Enc.fs:(M, M). 

— Token (K,i,j): compute and output r <— Matrix.Tokenic(i, i j). 

— Adj e (7, r): output J := Matrix.Lkp e (7, r). 

— Dec (K,Cj): output m : j := Matrix. DecK(cj). 


Fig. 4. A structured encryption scheme for graphs supporting adjacency queries 


Theorem 4. If Matrix is (£ 1 , £ 2 ) -secure against adaptive chosen-query attacks, 
then so is Graph. 
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Again, the theorem follows by construction. If Matrix is instantiated with the 
construction from Section 15.11 then L\ leaks the size of the graph, the number 
of edgeifl the number of data items and the length of the largest data item. £2 
leaks the query and intersection patterns. 

6 Structured Encryption for Labeled Graphs 

In this Section we describe an adaptively secure structured encryption scheme for 
data that is both labeled and associated with a graph-structure. As an example, 
consider a web graph where each page is labeled with a set of keywords (which 
could be the set of all the words in the page) and points to a set of other pages. 
Another example is social network data which consists of user profiles (with 
some associated meta-data) that link to other users. 

While the constructions from the previous Section can be used to encrypt 
this type of data, the queries they support (i.e., keyword search, adjacency, and 
neighbor queries) are limited in this setting since they are only relevant to part of 
the data’s structure. Indeed, if we were to encrypt a web graph using a scheme 
for labeled data, then we could only perform keyword search. Similarly, if we 
were to use a graph encryption scheme that supports only neighbor queries then 
we could only retrieve pages that are linked from a particular page. But web 
graphs, and labeled graph data in general, exhibit a much richer structure and 
ideally we would like to design schemes that support more complex queries that 
take advantage of this structure. 

Focused subgraph queries. One example of complex queries on web graphs are 
focused subgraph queries. These queries are an essential part of a certain class 
of search engine algorithms which includes Kleinberg’s seminal HITS algorithm 
m and the SALSA algorithm At a high level, they work as follows. Given 
a keyword w a keyword search is performed over the web pages. This results in 
a subset of pages called the root graph. A focused subgraph is then constructed 
by adding all the pages that either link to pages in the root graph or are linked 
from pages in the root graph. An iterative algorithm is then applied to the fo- 
cused subgraph which returns, for each page, a score that quantifies its relevance 
with respect to keyword w. The key property of these “link-analysis” algorithms 
(and the reason for their success) is that they take advantage not only of the 
information provided by the keywords associated with the pages, but also of the 
implicit information embedded in the graph structure (i.e., the links) of the web 
graph. 

Our approach. At a high level, our approach is to decompose the complex struc- 
ture into simpler structures (e.g., in the case of a web graph into its graph and 
its labeling) and then use different structured encryption schemes to handle each 
“sub-structure” . We note, however, that the sub-structures cannot be handled 

4 The number of edges can be hidden by padding m with n 2 — \E\ random strings 
whose lengths are distributed similarly to real data items. 
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in isolation. In particular, for this approach to work the individual schemes have 
to be combined in a particular way. This is where we make essential use of asso- 
ciativity, which will allow us to “chain” the schemes together in order to obtain 
the functionality we want (this technique will be illustrated in our discussion 
below). 

Our construction. We now illustrate our second approach for the case of web 
graphs but note that our construction applies to any labeled graph data. A 
detailed description of our construction is given in Figure 0 We note that it is 
not associative. A web graph will be viewed as a tuple (G, L, m), which consists 
of a directed graph G £ & n of size n, a labeling L over a keyword space W, and 
text pages m. The graph G encodes the link structure of the web graph and 
the labeling assigns keywords to each pagc0. The focused subgraph operation 
Subgraph : Q n X W — * Q< n takes as input a directed graph G of size n and a 
keyword w and returns the subgraph G( w) that consists of (1) the nodes i in 
L(w)\ (2) any node that links to the nodes in L(w): and (3) any node that is 
linked from the nodes in L(w'). 

Our construction makes use of three structured encryption schemes: Label 
that supports search over labeled data, Graph - that supports incoming neighbor 
queries over graph-structured data, and Graph -1- that supports outgoing neighbor 
queries over graph-structured data. We stress that Label must be associative. 
Given a web graph (G, L, m) we encrypt (G, m) using both Graph -1- and Graph - , 
resulting in ciphertexts c + and c - . Now, for each node i in G, we generate a pair 
of tokens (t+ , r, - ). We then use Label to encrypt (L, m) using the token pairs 
(t+jTj - ) as semi-private data (recall that Label is associative). We then output 
the encryption c 1 of (L, m). 

A focused subgraph query on keyword w is handled as follows. A token r 1 <— 
Label. TokenR-(w) is generated and sent to the server. When used with the cipher- 
text c 1 , this token will reveal to the server (1) pointers to all the (encrypted) web 
pages labeled with keyword w; and (2) for each of these encrypted pages Cj, the 
semi-private information which consists of tokens (tA , tJ ) . For each encrypted 
page, the server can then use the token pairs with ciphertexts c+ and c - to re- 
cover pointers to any incoming and outgoing neighbors of page Cj. 

Theorem 5. If Label, Graph + and Graph~ are respectively (stateless) (£[ ,G 2 )~ 
secure, (G ) 1- ,^) -secure and (£ X ,T 2 ) -secure against adaptive chosen query 
attacks, then the scheme described above is secure against adaptive 

chosen-query attacks, where 

£i(G, L, m) = (C[{L, m),£+(G,m), Cf (G,m)) 

and 

C 2 (G,L,w) = (4 (L,w), (£t(G,i )) mR{w)l , • 

The proof is omitted due to lack of space but appears in m- 

5 If we wish to perform full-text search then the labeling can simply assign a page to 

all of its words. 
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Let Label = (Gen, Enc, Token, Search e , Dec) be an encryption scheme for 
labeled data, Graph" 1 " = (Gen, Enc, Token, Neigh e , Dec) and Graph - 
(Gen, Enc, Token, Neigh e , Dec) be graph encryption schemes that support 
neighbor queries. Our scheme LabGraph = (Gen, Enc, Token, Subgraphs Dec) 
is defined as follows: 

- Gen(l fc ): generate three keys K\ <— Graph + .Gen(l fc ), K 2 <— 

Graph - . Gen(l fc ) and K 3 Label.Gen(l fc ). Let K = (K 1: K 2 , K 3 ). 

- Enc(K, G, m): 

1. compute (7 + ,c + ) <— Graph+.Encjtq (G, m), 

2 . compute (7 - ,c - ) <— Graph - .Encjc 2 (G, m), 

3. for 1 < i < n, 

(a) compute r+ <— Graph+Token^i (i), 

(b) compute r - <— Graph - . Token K 2 (i), 

4. let L be the labeling generated from all the words in m (i.e., each 
mi is labeled with the words it contains) and let v = {(tf 

5 . compute (7 l ,c l ) <— Label.Enc/c 3 (L, M), where M is composed of m 
and v, 

6. output <f*ssW 1 ',»y - , 7 l ) and c= (c + ,c - ,c'). 

- Token (K,w): output r <— Label. Tokenic 3 (w). 

- Subgraph e ( 7 ,r): 

1. compute (j',v/) := Label. Search^ 1 , r) 

2. for all j € J 1 , 

(a) compute JJ := Graph + .Neigh( 7 " 1 ", rf), 

(b) computed - := Graph - . Neigh( 7 - , rj"), 

3. output J = (j 1 , (./+, ^r)j e ji) • 

- D ec(K,Cj): return rrij := T7.DeCK 3 (c ? ). 


Fig. 5. A structured encryption scheme for web graphs supporting focused subgraph 
queries 

7 Conclusions and Future Directions 

Several interesting future directions are suggested by this work. The most im- 
mediate is whether efficient and non-interactive structured encryption can be 
achieved while leaking less than the query and intersection pattern. The con- 
struction of efficient dynamic structured encryption schemes (i.e., that allow 
for updates to the encrypted data) is another direction left open by this work. 
Of course, the construction of schemes that handle other types of structured 
data and more complex queries on the data types considered here would also be 
interesting. 
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Abstract. Blinding is a popular and well-known countermeasure to 
protect public-key cryptosystems against side-channel attacks. The high 
level idea is to randomize an exponentiation in order to prevent multiple 
measurements of the same operation on different data, as such measure- 
ments might allow the adversary to learn the secret exponent. Several 
variants of blinding have been proposed in the literature, using additive 
or multiplicative secret-sharing to blind either the base or the exponent. 
These countermeasures usually aim at preventing particular side-channel 
attacks (mostly power analysis) and come without any formal security 
guarantee. 

In this work we investigate to which extend blinding can provide prov- 
able security against a general class of side-channel attacks. Surprisingly, 
it turns out that in the context of public-key encryption some blinding 
techniques are more suited than others. In particular, we consider a mul- 
tiplicatively blinded version of ElGamal public-key encryption where 

— we prove that the scheme, instantiated over bilinear groups of prime 
order p (where p — 1 is not smooth) is leakage resilient in the generic- 
group model. Here we consider the model of chosen- ciphertext secu- 
rity in the presence of continuous leakage , i.e., the scheme remains 
chosen-ciphertext secure even if with every decryption query the 
adversary can learn a bounded amount (roughly log(p) /2 bits) of 
arbitrary, adversarially chosen information about the computation. 

— we conjecture that the scheme, instantiated over arbitrary groups of 
prime order p (where p — 1 is not smooth) is leakage resilient. 

Previous to this work no encryption scheme secure against continuous 
leakage was known. Constructing a scheme that can be proven secure in 
the standard model remains an interesting open problem. 


1 Introduction 

Side-channel attacks are cryptanalytic attacks against physical implementations 
of cryptosystems that exploit some kind of information leakage from the cryptode- 
vice during execution. Traditional security notions (such as chosen-ciphertext se- 
curity for encryption schemes) do not provide any security guarantee against such 

* Part of the work conducted while the author was at CWI, Amsterdam. 

M. Abe (Ed.): ASIACRYPT 2010, LNCS 6477, pp. 59 5|-612,| 2010. 
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attacks, and many implementations of provably secure cryptosystems were broken 
by side-channel attacks exploiting side-channels such as running-time |22j, elec- 
tromagnetic radiation j45!26j . power consumption j2Hj, fault detection j8l(ij and 
many more (see, e.g., j46!4Mj 1 . 

Countermeasures against side channel attacks can either be algorithmic, or 
on the hardware level. In the latter case, one generally tries to build hardware 
that leaks as few information as possible (e.g., by shielding electromagnetic ra- 
diation.) Algorithmic countermeasures means that one designs algorithms, such 
that their mere description already provides security against side channel at- 
tacks. (E.g., one can protect against timing attacks by making sure that the 
running time of the algorithm is independent of the secret.) Traditionally, such 
algorithmic countermeasures (such as masking or blinding, cf. |J3| for a list of 
relevant papers) are mostly ad-hoc in the sense that they defend against some 
specific and known attacks. 

Leakage Resilient Cryptography. Recently, formal models were proposed 
where one does not assume any particular side-channel against which to pro- 
tect, but only requires that potential side-channels are in some sense ’’resource 
bounded.” In the model of leakage resilience one considers adversaries 
which, on each invocation of the cryptographic primitive, can learn a bounded 
amount of arbitrary information about the secret internal state that was accessed 
during invocation. Since the overall amount of leaked information is unbounded 
(and may be much larger than the size of the secret state), this model is also of- 
ten referred to as continuous leakage (e.g., jl 5l9j ). As we will discuss below, this 
is in sharp contrast to the model of “memory leakage” (e.g., 1211 ll-ll.'ilTTil ) which 
has the inherent limitation that the amount of leaked information is a-priory 
bounded and therefore cannot exceed the size of the secret state.) 

An implementation of a leakage resilient primitive will then be secure against 
every side-channel attack that fits our general model, i.e., as long as the amount 
of information that is leaked on each invocation is sufficiently bounded, and 
moreover the device adheres the “only computation leaks information” axiom 
from m, which states that memory content that is not accessed during an invo- 
cation, does not leak. Security in this bounded leakage model hence means that 
the hardware implementation of the cryptosystem only has to be protected to fit 
the above model; once that is done, the proof provides security of the scheme. Us- 
ing bounded leakage is inspired by the bounded retrieval model jldl2Uligil()l22l4j 
which in turn was inspired by the bounded-storage model j .Tli I IAflifO I . 

So far most theoretical research has focused on preventing memory leakage 
jl .412011 911 012214) and the only known leakage resilient primitives (in our sense of 
security against continuous leakage) are stream-ciphers |2dl44j , digital signatures 
m and — in a weaker “non-adaptive” model — pseudorandom functions and 
permutations IB]. Recently, general compilers have been proposed which turn 
any circuit into a leakage-resilient one j2MIMH] . Currently, these general compilers 
are just a proof of concept and too inefficient to be used in practice, relying on 
fully homomorphic encryption m or requiring one full encryption per gate m 
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In this paper, we address the problem of leakage resilient public-key encryption 
(PKE). The standard security notion for PKE is indistinguishability under a 
chosen plaintext attack (IND-CPA) or the stronger notion of indistinguishability 
under a chosen ciphertext attack (IND-CCA) Q 

Modelling Leakage Resilience. Consider some cryptosystem CS, let So 
denote its initial internal state and Si its state after the ith invocation. On the 
ith invocation of CS, the adversary chooses some input Xj and gets Y, where 
(Si+i.Yi) «- CS (Si,Xi). 

In the original definition of leakage resilience E3|, the adversary gets the 
additional power to choose, besides the regular input JQ, some leakage function 
fi whose range is bounded to some fixed A 6 N bits with every query. After 
the ith invocation she not only gets the regular output Yj, but additionally 
the leakage <— fi(S+,R) where R is the randomness that CS used during 
its computation, and ,S' ? + is the subset of the state Si that was accessed (i.e., 
read and/or written) during computation. Note that to be leakage resilient, a 
primitive must be stateful (i.e. Si i=- Si- 1 ), as otherwise one can just leak the 
state A bits at a time. 

In this paper we will use a more fine-grained notion of leakage resilience, where 
an invocation of CS (which will be a decryption query) is split in two phases, 
and those two phases leak individually. More precisely, the computation of a 
decryption can syntactically be split into two phases Decl* and Dec2*, which 
are executed in a sequential order to decrypt the message. As in a CCA attack, 
the adversary can make decryption queries with respect to a ciphertext C, and 
can furthermore specify two (efficiently computable) leakage functions, / and g, 
whose range is bounded by A bits. (A is the leakage parameter.) In addition to 
the decryption of C the adversary also obtains the output of / and g applied to 
all the inputs of Decl* and Dec2*, respectively, including the algorithm’s internal 
random coin tosses. 

On Bounded Range and Domain. Summing up, leakage resilience considers 
attackers who, with every invocation, can adaptively choose a leakage function 
/ and then get the output of / applied to the internal secret state (if the system 
is probabilistic also all internal coin tosses) of the cryptosystem. The function / 
can be arbitrary, but is restricted in its input domain and range: 

Bounded range: The range of / is {0, 1} A for some parameter A £ N. 
Bounded domain: / gets as input only the secret state that is actually ac- 
cessed during this invocation. 

A mathematical model of side-channel leakage is only useful if it captures (and 
thus implies security against) leakage that occurs in practice. As / gets the 

1 In a CPA the adversary only gets the public-key and then has to distinguish the 
encryptions of two different messages. In a CCA gZI the adversary can also ask 
for decryptions of ciphertexts of her choice. We distinguish between CCA1 and the 
stronger CCA2 security, in the latter the adversary can make decryption queries also 
after she got the challenge ciphertext. 
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same input as the cryptosystem CS, it can simulate the computation of CS on 
any conceivable hardware (e.g., all the values carried by wires on a computing 
circuit), and thus also compute any kind of leakage that might occur. Though, 
the restriction on bounded range might not allow / to actually output the en- 
tire leakage, and the restriction on bounded domain might make it impossible 
to simulate leakage that depends on earlier invocations, we discuss this points 
below. 

Bounded range. In practice, it seems hard to quantify how much informa- 
tion actual hardware (like a smart-card) actually leaks. In most side-channel 
attacks the adversary measures large amounts of data, e.g., an entire power- 
consumption curve. So at a glance this assumption might seem unreasonable, 
but this is a bit overly pessimistic. 

Even though side-channel leakage may contain lots of data, only a small 
fraction can actually be exploited in each measurement. The model of leakage 
resilience allows only for the leakage of a small number A of bits, but this 
leakage is “worst case” in the sense that the adversary may choose the leakage 
function which outputs the most useful information. Below we outline two 
ways in which this observation can be made precise. The first shows that 
side-channel attacks used in practice are captured by leakage resilience as 
they only exploit few bits of information from each actual measurement. The 
second is a relaxation of bounded leakage which can reasonably be assumed 
to be satisfied in practice. 

Side-Channel Attacks Exploit Few Bits. Many side-channel attacks first mea- 
sure large amounts of leakage A\ , vfy, . . . from every invocation, like a power 
consumption curve. Then, in a first step, each leakage A t is preprocessed in 
order to extract some “useful” information A[ (this A! i could, e.g., be a list 
of the most likely sub-keys.) The attack then proceeds by trying to recover 

the secret key from A\ , A' 2 , Such attacks are covered by leakage resilience 

whenever the amount of extracted data |yl(| is at most the amount of leakage 
A allowed per invocation. 

Relaxing Bounded Range. By inspecting the proofs of our constructions (as 
well as the ones from |2 .'-114412 5] ). one sees that a restriction on the leakage 
functions is required which is considerably weaker than restricting the range 
to A bits: it is only required that the leakage f(S + ) does not decrease the 
HILL-pseudoentropy f.'i 1 UlFl the adversary has about the active state S + 
by more than A bits. (More details will be given in the full version.) Thus, 
although it may be unreasonable to assume that no more than A bits leak 
per invocation of a smart-card, assuming that this leakage will only degrade 
the HILL-pseudoentropy by A bits seems much more realistic in practice. 
Bounded domain. The bounded domain restriction is a very mild restriction. 
Unlike for bounded range, it is non-trivial to even imagine a remotely realistic 
side-channel attack which would break a scheme by not adhering to it. This 

2 HILL-pseudoentropy is a computational analogue of min-entropy. As for min- 
entropy, A bits of information cannot decrease it (in expectation) by more than 
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restriction (on how leakage functions are mathematically modeled) is implied 
by the “only computation leaks information” axiom (which states something 
about physical properties of devices) of • But it also covers other practical 
attacks which do not satisfy this axiom. For example note that an adversary 
can learn any linear function /(S) of the entire state S (which is split in, 
say, two parts Si, £2 that are accessed individually) by specifying leakage 
functions /i,/2 such that fi(a) + /2(h) = f(a,b) (the adversary can ask to 
learn /i(Si) and /2(S2) as Si and S2 are accessed respectively, and then 
compute /(S) locally.) This simple observation already shows that claims 
made in the literature arguing that the bounded range & domain restric- 
tions do not cover attacks like “cold-boot attacks” m or static leakage (as 
claimed in EH) are not well-founded 0 As argued by Dziembowskifl this re- 
striction not only covers all linear function f(a,b) = fi(a) + /2(b), but in 
fact any function /(a, b) which has a communication complexity of at most 
A. A good candidate for an actual leakage function that does invalidate this 
assumptioiQ is the inner product f(a, b) = JT a,; • bi mod 2 which has linear 
communication complexity. 


1.1 ElGamal Encryption 

The ElGamal encryption scheme m over a cyclic group G of prime order p 
works as follows. The public key consists of a generator g of G and X = g x , 
where x e Z p is the secret key. Encryption defines the ciphertext as C = g r and 
uses the symmetric key K = X r to blind the message. Decryption reconstructs 
the key by computing K = C x . In its hybrid version, ElGamal encryption is 
contained in many standard bodies (e.g., |HHI. v > 2 l 5 ()j l and it is (using the name 
Elliptic Curve Integrated Encryption System, “ECIES”) commonly considered 
to be the standard method to encrypt over elliptic curves. At this point it may 
be instructive to see why the ElGamal encryption scheme is not leakage resilient. 
An adversary, in the ith decryption query, can specify a leakage function that 
outputs the f-th bit of the secret key x. Therefore, after q = \x\ queries to 
the leakage oracle the entire secret key can be reconstructed. As we already 
pointed out, the inherent reason why the above attack works is that decryption 
is stateless. 

Let’s first look at a straight forward (but unsuccessful) attempt to make the 
ElGamal scheme leakage resilient. To this end we make decryption stateful and 

3 In the above argument we implicitly assumed that ultimately the entire secret state 
will be touched, although this seems obvious (after all, why would one save a secret 
state if it’s not supposed to be ever read), the tokens used in the construction of one- 
time programs m are an example where exactly this happens. For such primitives 
obeying the “only computation leaks information” axiom in its original physical 
sense is necessary. 

4 At the workshop “Provable security against physical attacks” , February 2010, Leiden. 

5 And thus might be used to construct an actual real world counterexample where the 
security of an implementation gets broken because the bounded domain restriction 
is invalidated. 
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split it into two parts Decl* and Dec2*. The secret key is additively shared into 
x = (7o + Cq by setting ay = x — r'o and <r' Q = x + ro- Decryption works as 
follows. The first part Decl* computes <Ji = o-j_i + r, mod p, K' = C Ui and 
passes K' as input to the second part. Dec2* computes u- = a' i _ 1 — p* mod p 
and then K = K' ■ C rJi . Note that the state information is randomly re-shared 
subject to <Ji + <j[ = x. However, this scheme is not leakage resilient since an 
attacker can adaptively learn certain bits of cr* = x + Ri and cr' = x — Ri (where 
R, = o r i) that enable him to fully reconstruct the secret key ( 0 


1.2 Our Results 

Conjectured leakage resilient ElGamal encryption. We consider a 
practical randomization method to make the ElGamal PKE scheme (or one if 
its standardized hybrid variants) leakage resilient under chosen-ciphertext at- 
tacks in the above sense. In the context of leakage resilience this method (or 
variants thereof) were already proposed in |1 21.171521 . The central idea is to 
use multiplicative secret sharing to share the secret key x, i.e., x is shared as 
cTj = xR- 1 mod p and a[ = Ri mod p, for some random Ri £ Z*. More precisely, 
the first part of decryption computes crj = mod p and K’ = C ai . The 

second part computes a\ = cr(_ 1 r, mod p and then K = K ,a >. Again note that 
the state information is randomly reshared subject to cr* • cr' = x. We remark that 
our method does not modify ElGamal’s encryption algorithm, it only modifies 
the way ciphertexts are decrypted. In particular, public-keys and ciphertexts are 
the same as in ElGamal encryption and therefore our method offers an attrac- 
tive way to update existing ElGamal-based systems with algorithmic security 
against side-channel attacks. Unfortunately, we are not able to prove that the 
above method is provable leakage resilient and therefore we can only state the 
scheme’s security as a conjecture. 

Provable leakage resilient ElGamal encryption. We also propose to 
apply multiplicative secret sharing to the ElGamal encryption scheme instanti- 
ated over bilinear groups. Our main theorem (Theorem [Q states that this scheme 
is leakage resilient against CCA1 attack in the generic group model. The key ob- 
servation is that the secret key is a group element X and decryption performs 
a pairing operation with X as one fixed base. This allows us to multiplicatively 
share the secret key as a group element, i.e., X = o t ■ cr' 6 G. Intuitively, we use 
the fact that in the generic group model some bits of the representation of er* and 
cr' essentially look random and therefore are useless to the leakage adversary. To 
formally prove this intuition, however, turns out to be surprisingly difficult. 

We also mention that a proof in the generic group model has its obvious 
weaknesses. (See, e.g., |2S1) In particular in connection with side channel attacks 

6 Since x = a + mod p, the first t A least significant bits of x can be computed 
as (cTj mod 2*) + (cr' mod 2*) mod 2*, minus an additive factor p mod 2* in case there 
is an overflow modp. (The latter can be checked from the high order bits of cr; and 
a[.) This process can be iterated to learn the entire secret key. 
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the generic group model may “abstract away” too much important information 
an adversary may obtain in a real implementation of the scheme. This should be 
taken into account when interpreting our formal security statement. However, 
our result seems to be the first PKE scheme that is provably leakage resilient. 
Furthermore, the scheme is very practical. Another possible interpretation of 
our result is that when protecting the exponentiation function against (a large 
class of) side-channel attacks, multiplicative secret sharing techniques seem more 
suitable than additive ones. 

Leakage Resilient Exponentiation and Pairing Operation. Speaking 
more generally, our above mentioned methods how to secure ElGamal against 
side-channel attacks show that one can possibly make discrete exponentiation 
and a pairing operation leakage resilient. Let G be a group of prime order p 
and g be a generator of G. In discrete exponentiation one wants to take public 
group elements Y t to some fixed secret power x (which is only leaked through 
g x ). We propose to share x as x = x' -x" mod p and compute the values K, = Y x 
in two iterative steps as K[ = Y x followed by Ki = (A') x . After each such 
computation x' and x" get randomly reshared subject to x = x' ■ x" mod p. In 
a pairing operation one is given public group elements Y and want to compute 
e(Yi,X), for some fixed secret group element X (which is only leaked though 
e(g, X)). Here e : G x G — > G t is a bilinear pairing. Again we propose to share 
X as X = X' ■ X" G G and compute the values K, = e(Y 7/ . X) in three iterative 
steps as Ki = e(Y l: X r ), K" = e{Y u X"), and K i = K' i ■ K" G G T , followed by 
a resharing of X = X' ■ X" g G. Our main result (Theorem QJ shows that our 
method to perform a pairing operation is provable leakage resilient in the generic 
group model. 

Difficulty to prove leakage resilience against CCA2 attacks. It is 
well known that the ElGamal encryption scheme, where the key K is hashed and 
the one-time pad is replaced with a chosen-ciphertext secure symmetric cipher, 
is secure against CCA2 attacks [J. We remark that this scheme is not leakage 
resilient against CCA2 attack since an adversary can adaptively obtain some bits 
about the unhashed symmetric key of the challenge ciphertext. Indeed, building 
a PKE scheme that is (provably) leakage resilient against CCA2 attacks remains 
a challenging open problem. 


1.3 Related Work 

In the hardware community the usefulness of secret-sharing in the context of side- 
channel counter measures is well known. In particular, secret-sharing has been 
proposed as a countermeasure against “differential power analysis attacks” for 
exponentiation algorithms in [1 1 II 211 213715 2j . but without any formal analysis. 

Most works on side-channel countermeasures, including the ones just men- 
tioned, consider countermeasures against particular side-channel attacks. Micali 
and Reyzin j3D| in their work on “physically observable cryptography” proposed 
an influential theoretical framework to capture side-channel attacks on a more 
general level. 
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Besides leakage resilience, there are several other models that consider cryp- 
tosystems which remain secure even if a function f(sk ) (chosen by the adversary 
from a very broad class of functions) of the secret key sk is leaked. We shortly 
mention these models below. The main difference to leakage resilience is that 
those models consider stateless cryptosystems, and thus cannot tolerate any 
kind of “continuous” leakage (an exception is the very recent work on “continu- 
ous memory attacks.”) On the other hand, the leakage function in those works 
gets the entire state as input, and not just the part of the state that was accessed. 
Memory Attacks. Akavia et al. J2j introduce the model of “security against 
memory attacks,” where one requires that the scheme remains secure even if 
a function f(sk) of the secret sk is leaked once, where the only restriction on 
/(•) one makes is its bounded output length. (Clearly the bound must satisfy 
|/(sfc)| <C sk | . This model is a restricted version of the BRM model discussed 
below.) EEB construct public-key encryption schemes in this model, Katz and 
Vaikuntanathan m constructs digital signatures. 

Bounded Retrieval Model. The bounded retrieval model (BRM) 
| Kill 912011 OI22l4j is a generalization of the previous model, where one requires 
that the secret key can be made huge, while the scheme still remains efficient. 
Such schemes can provide security against malware like viruses or Trojans, which 
temporarily take control over a computer, but do not have enough “bandwidth” 
to leak the entire artificially huge key. Most works on intrusion resilient crypto 
consider symmetric primitives, but after the first success in constructing public- 
key cryptosystems secure against memory attacks (mentioned above), Alwen et al. 
achieved public-key crypto also in the BRM model. In particular authentication 
and signature schemes j2] and public-key encryption 0 . 

Auxiliary Input. Dodis et al. construct symmetric m and public-key D3 en- 
cryption schemes in a model where the range of /(•) may be unbounded, but one 
only requires that it is hard to recover sk from f(sk). (i.e. any polynomial time 
adversary should output sk with exponentially small probability.) 

Continuous Memory Attacks. Very recently, Dodis, Haralambiev, Lopez- Alt, 
and Wichs ESI and Brakerski, Kalai, Katz and Vaikuntanathan j^j introduce the 
model of “continuous memory attacks.” This model generalizes the notion of mem- 
ory attacks. Also here the adversary can learn a bounded amount, A bits say, of 
leakage about the (entire) secret key. But now there’s an additional “refresh” pro- 
cedure which takes the secret key sk and outputs a new secret key sk'. The adver- 
sary can learn A bits (where A is c| sk | for some constant c > 0) in-between any two 
refresh phases, but the refreshing itself has to be completely leak-free m or leak 
at most a logarithmic number of bits 0- Remarkably, in this model m construct 
authentication and signature schemes, |2J obtain get public-key encryption. Both 
papers work in the standard model, the underlying assumption in both papers is 
the linear assumption over bilinear groups. The models of leakage resilience and 
continuous memory attacks are incomparable: leakage resilience assumes “only 
computation leaks” whereas continuous memory attacks need an (almost) leak- 
free refresh phase. As mentioned, the constructions j l - r >i)| are proven secure in the 
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standard model, whereas we use a strong idealized model. On the positive side, 
our scheme is very efficient (only about two times slower than standard ElGamal) 
whereas, e.g., |2J needs a constant number of pairings to encrypt a single bit. 

2 Definitions 

If A is a deterministic algorithm we write y <— A(x) to denote that A outputs y on 
input x. If A is randomized we write y <— A(x) or, y <— A (re) if we want to make 
the randomness r used by the algorithm explicit (for future reference) . 

Key Encapsulation Mechanisms. A key encapsulation mechanism (KEM) is 
defined similarly to a public-key encryption scheme, except that the encryption 
algorithm (called encapsulation) does not take any input, but rather outputs the 
encryption of a random key K, which then can be used with as a key in any sym- 
metric encryption scheme to encrypt the actual message. 

Formally, a key-encapsulation mechanism KEM consists of three algorithms 
KG, Enc, Dec. KG : {0, 1}* — > VK. x SIC is the probabilistic key-generation al- 
gorithm, which on input a security parameter k outputs a public/secret-key pair. 
The probabilistic encapsulation algorithm Enc : VIC — > K. x C and decapsulation 
algorithm Dec : SIC X C — > TC U T satisfy the following correctness property for 
all « 

Pr [K = K' | (pk,sk) A KG(/s); (C, K) A Enc (pjfc); K' «- Dec{sk,G)] = 1 

The CC A1 security (aka. security against lunchtime attacks) of a key-encapsulation 
mechanism KEM is defined by the following experiment. 


Experiment Exp^EM [V, k) 

( pk , sk) A KG(k) 


Oracle O c ^ l {C) 
K<-Dec(sk,C) 
Return K 


A V° ak{ '\pk) 


b A {0,1} 

(C*,K 0 ) A Enc(pfc) 

Ki A/C 

b' ^F(w,C*,K b ) 


Let /j denote the probability that b=b' in the above experiment, then we define 
the advantage of T as Adv)^ (V, k) = 2 1 1/2 — ji\. In CCA2 security, the adver- 
sary is additionally allowed to query the decryption oracle in its second (guess) 
stage. 

Stateful key encapsulation and leakage resilience. To formally define our 
notion of leakage resilience we consider stateful key encapsulation mechanisms 
KEM* = (KG*, Enc*, Decl*, Dec2*) in which decapsulation is stateful and can for- 
mally split into two sequential stages Dec = (Decl*, Dec2*). The input/output 
behavior will stay exactly the same as in a standard KEM. 
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More formally, the key generation algorithm KG* (k) generates a public key and 
and two initial states, <7o and ctq. Intuitively, the states shares the secret key of the 
scheme and will be used by the stateful decapsulation algorithms Decl*, Dec2*. 

On the ztli invocation of decapsulation, the decapsulated key K t is computed 
as follows 


{a uWi ) A Decl*(CT*_i,Ci) ; K t ) & Dec2 *(a' i _ 1 ,w t ) (1) 

Here r ? ; and is the explicit randomness of the two randomized algorithms, <t ? ; 
and cr' are the updated states and w, is some state information that is passed from 
Decl* to Dec2*. 

We now define leakage resilience. Let A G N be some leakage parameter. We 
will consider attacks, where the adversary can not only query its oracle for the de- 
capsulated values Ki = Decfyfc, Cf), but additionally gets leakage from the com- 
putation of those values. That is, in the security experiment the adversary can, 
additionally to the input C*, specify two efficiently computable leakage functions 
fi, gi with bounded range {0, 1} A , and additionally to the regular output K, also 
gets Ai,A'i computed as 

Ai = fifa. i,r,) ; A'i = , 

where the notation is as in ©• So the functions fi, gi get as input exactly the same 
data as Decl*/Dec2*Q We define the CCLA1 (chosen ciphertext with leakage at- 
tack) security of KEM by the experiment below. (Note that now we not only have 
to specify the security parameter k, but also a leakage bound A.) 


Experiment Exp^j), ( T , k, A) 

(pk,a 0 ,a' 0 ) A KG(k) 
w A ^rO <!0lal (.)(^ pk ) 

&A{ 0 ,i} 

(C*,AT 0 ) A Enc(pfc) 

Ki A/C 

i <— 0 

b' A T{w, C*, K b ) 


Oracle 0 cclal (C, /, g) 

If range of / or g is ^ {0, 1} A return T 
i *— i + 1 

A Decl* C) 

(a \,Ki) & Dec2*(o-'_ 1 ,w i ) 

Ai <- 

A', gi{& , i - 1 ,w i , r'f) 

Return (Ki,Ai,A!f) 


Let fi denote the probability that b = b' in the above experiment, then we define 
the advantage of T as Adv'^^ [T, n, A) = 2| 1/2 — /x|. 

It is well-known that a CCA1 secure KEM plus a one-time secure symmetric 
cipher (such as a one-time pad) yields a CCAl-secure PKE scheme. For trivial 
reasons the same statement is also true for CCLA1 secure KEMs so for our purpose 
it is sufficient to build a CCLA1 secure KEM. On the other hand we remark that 
the respective composition theorem is wrong in general for CCLA2 secure KEMs. 


Note that Ci need not be explicitly given to fi as the adversary chooses fi and Ci 
together, and thus can “hard-code” Ci into fi. 
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That is, a CCLA2 secure KEM and a CCA secure DEM will in general not yield 
a CCLA2 secure PKE scheme0 

Bilinear Groups. We assume the existence of a bilinear group generator BGen 
which is a randomized algorithm that outputs a bilinear group PG = (G, Gt, g, 
e,p) such that the following properties hold. 

1 . G and Gt are (multiplicative) cyclic groups of prime order p. 

2. g is a generator of G. 

3. e is a bilinear map e : G x G — ► Gt which is 

(a) bilinear: for all u, v G G and a,b e Z, e(u a , v b ) = e(u, v) ab . 

(b) non-degenerate: e(g,g ) ^ 1. 

We say that G is a bilinear group if there exists a group Gt and a bilinear map 
e : G x G — > Gt as above, where e and the group action in G and Gt can be 
computed efficiently. We will use o and * for the group operation in G and Gt 
respectively. 

Generic Bilinear Groups. In the generic group model |42l4bj one encodes the 
group elements by unique, randomly chosen strings. This enforces that the only 
property which can be tested by an adversary is equality. 

In the generic bilinear model (GBG ) |ZJ the encoding is given by randomly cho- 
sen injective functions £ : Z p — ► E and £t : Z p — > Sr which give the represen- 
tations of the elements in the base and target group respectively (w.l.o.g. we will 
assume that Sri Sr = 0) . The group operation and the bilinear map are performed 
by three public oracles O, Ot, O e , where for any a. b £ Z p 

- 0(£(a), £(&)) — * £(a + b mod p) (group operation on base group). 

- C?t{£t(®)> £t(&)) — »■ £r(a + b mod p) (group operation on target group). 

- O e (£(a),£(b)) — > £t((i ■ b mod p) (bilinear map). 

All oracles output T when queried on an input outside of their domain. For a fixed 
generator g of G and gr = e(<?, g), one can think of £(a) as an encoding of g a , 
£t(cl) as an encoding of gf. and £ e (a,b) as an encoding of g^ b = e(g a , g h ). Of 
course one also must provide some means of computing the group representation 
£(a) or £r(a) for any a G Z p , say by providing oracles to do so. We can get away 
without additional oracles, by providing £(1) and observing that then £(a) can 
be computed making < 2 logp queries to O (by square and multiply). £t(1) (and 
thus any £r(a)) can be computed by £t(1) C? e (£(l)) £(!))• 

3 Leakage Resilient ElGamal Encryption 

In this section we present a general method to secure ElGamal encryption against 
leakage attacks. First, we present a modification of the standard ElGamal cryp- 
tosystem over any cyclic group of prime order. Unfortunately, we are not able to 

8 An attacker may make a number of decryption queries only modifying the symmetric 
part of the challenge ciphertext. The decryption algorithm (internally) uses the chal- 
lenge symmetric key that can be learned (bit-by-bit) through the leakage function. 
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formally prove the leakage resilience of this scheme so we state its security as a 
conjecture. Next, we move to the ElGamal scheme over Bilinear Groups. Here we 
are able to prove that our method leads to a leakage resilient public-key encryption 
scheme (in the sense of CCLA1) in the generic group model. 


3.1 ElGamal Key Encapsulation 

Let Gen be a randomized algorithm that outputs a cyclic group G of order p where 
p is a strong prime. The ElGamal key-encapsulation mechanism EG = (KGeg, 
EncEG) Dcceg) is defined as follows. 

- KGeg(^): Compute (G,p) A Gen(«) and choose random g *— G and random 
x A Z p . Set X = g x . The public key is pk = (G,p,X) and the secret key is 
sk = x. 

- EncEG(pfc): choose random r A Z p . Set C <— g r 6 G and K <— X r € G. The 
ciphertext is C and the key is K. 

- DecEG(sfc, C): Compute the key as K = C x 6 G. 

As mentioned in the introduction, EG (or any other stateless scheme) cannot be 
leakage resilient since in the CCLA1 experiment an adversary can simply obtain 
the successive bits of the secret key x. 

We will now describe a leakage resilient stateful key encapsulation mechanism 
EG* = (KGe G , Enc£ G , Decl^, Dec2g G ), which is derived from EG. As described in 
Section El the decapsulation algorithm is stateful and split in two parts. 

- KGe G (k): Run ( sk,pk ) A KGeg(«0- (Recall that sk = x and pk = (G,p, X = 
g x ).) Choose random cro A Z* and set a' 0 = xoq 1 mod p. The public key is 
pk and the two secret states are op and a’ Q . 

- Encjl G (pfc): the same as EncEG (pk)- 

- Decl^ (<7j_i, C): choose random r, A Z*, set cr,; = mod p, K' = C a ‘ 

and return (n, K'). 

- Dec2£ G (a'_ 1 , (r, , K'))\ set cr' = cr(_iG _1 1110 d Ik and K = K' a ‘. The symmet- 
ric key is K and the updated state information is at and cr'. 

We cannot formally prove CCLA1 security of the scheme so we have to resort to 
the following conjecture. 

Conjecture 1. EG* is CCLA1 secure if p—1 has alarge prime factor (say, p—1 = 2 p' 
for a prime p') @ 

9 The reason we require p to be not smooth is to prevent the leakage functions to possi- 
bly compute discrete logarithms in Z p _i, as otherwise the multiplicative sharing cr, cr' 
(where o • o' = x) can be efficiently turned into an additive sharing (of the discrete 
log of the secret key) a = h s ,cr' = h s where x = h x and X = £+£'. As described 
in Section ITTI an additive sharing cannot give a leakage resilient scheme. The above 
also hints the inherent difficulty of proving this conjecture. Let us mention that al- 
ready in El it is suggested to use a prime p where (p-l)/2 is prime in a very similar 
context. Our result can be seen as a formal justification for this choice. 
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One can furthermore make ElGamal key-encapsulation CCA2 secure (without 
leakage) under the strong Diffie-Hellman assumption in the random oracle model 
by hashing the symmetric key symmetric key K Q . This Hashed ElGamal scheme 
is contained in many standard bodies, e.g. |4<SI.T2I51 )| . Hashing the symmetric key 
clearly does not affect its CCLA1 security and therefore Hashed ElGamal is 
CCLA1 and CCA2 secure. 

However, as we will explain now, in our leakage resilience setting hashing K 
will not make the scheme CCLA2 secure. The (unhashed) EG scheme is not CCA2 
secure since it is malleable. (An adversary, given the challenge ciphertext C (en- 
ciphering a key K), can ask for a decryption of C 2 ^ C to obtain K 2 from which 
it can reconstruct K.) Without considering leakage, hashing the key prevents this 
attack as now the adversary only sees a hashed key H(K 2 ). Unfortunately, in the 
leakage setting hashing will not help at all because the adversary can specify a 
leakage function which outputs A bits of the unhashed key K 2 . By asking for the 
decryption of the same ciphertext C 2 several times, leaking A different bits of K 2 
on each invocation, will ultimately reveal the entire K 2 . 

3.2 Bilinear ElGamal Key Encapsulation 

The Bilinear ElGamal key-encapsulation mechanism 
BEG = (KGbeG; EncBEG, Dccbeg) is defined as follows. 

- KGbeg(k): Compute PG = (G,Gt,P, e) <— BGen(/t) and choose random g <— 
G and random x <— Z p . Set X = g x and Xr = e(g. g) x . The public key is 
pk = (PG, g, Xj-) and the secret key is sk = X. 

- EncBEG(pfc): choose random r A Z p . Set C <— g r € G and K <— Xlj, e G t- 
The ciphertext is C and the key is K. 

- DecBEG(sfc, C): Compute the key as K = e(C, X) e G t- 

Note that correctness follows from the bilinear property X £ = e(g, g) xr = 
e( 9 r ,g x ) = e(g r ,X). 

We will now describe a leakage resilient key encapsulation 
BEG* = (KGb EG , Ence EG , Declg EG , Dec2g EG ), which is derived from BEG. 

- KGb EG (k;): Run ( sk,pk ) A KGbeg («)■ (Recall that sk = X = g x and pk = 
(VG,g,Xr = e{g,g) x .) Choose random ro <— Z* and set cto g r °,cr q <— 
gX—rO' -phe public key is pk and the secret states are uo ,a' 0 . 

- Ence EG (pfc): the same as EncBEG(p^)- 

- DeclB EG (CTi_i, C): choose random r, <— Z p , set op f— cr,;-i °g Ti , K’ e(cr,;, C) 
and return (r*, K'). 

- Dec2g EG ((Tf_ 1 , (n, K')): set f— a'_ 1 o g~ n and K" ■*— e(<j(,C). The sym- 
metric key is K K' * K" £ G t- 

Note that for every i. Ri = f J2]=o r h we l lave g Ri ° g x ~ Ri = g x , so the 

Uj, a[ are a secret sharing of the secret key. 
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Theorem 1. In the bilinear generic group model the scheme BEG* is CCLA1 se- 
cure: the advantage of a q- query adversary who gets A bits of leakage per invocation 
o/Declg EG and Dec2 EEG , respectively, is at most - — 

Thus, for a statistical security parameter n, we can tolerate A = log(p)/2 — 3 
log(<y)— n/2 bits of leakage. For space reasons, here we only can give a proof outline. 
The complete proof appears in the full version of this paper. 

Proof Outline. For technical reasons, we will consider a setting where the 
generic bilinear group is extended with an additional oracle Odl ■ S’ U S T — > 
Z p ;|l3_, we will call this the extended generic bilinear group model. Intuitively, 
Odl is an oracle for the discrete log problem, but only works on inputs that have 
not yet appeared since the oracles O, O e , Ot have been initialized. 

The proof outline is as follows. We will first show that the discrete logarithm 
problem (DL) is hard in the (base group of the) extended GBG model. We then 
give a reduction which shows how any adversary that can break the CCA1 secu- 
rity (without leakage) of BEG* in the (normal) GBG model, can solve the discrete 
log problem in the extended GBG model. Next, we extend this proof to get our 
main result, namely a reduction of the CCLA1 security of BEG* to the discrete 
log problem. 

CCA1 security of BEG* . Let T be an adversary that can break the CCA1 se- 
curity of BEG*. We construct an adversary Q for DL (using IF as a black-box) by 
letting Q simulate the Expg E a G . (IF, p ) experiment, where in this experiment Q uses 
its DL challenge f (y) as either the secret key f(x) or the challenge encapsulated 
hey £(s) with probability 1/2 respectively. 

During the CCA1 experiment, T (which initially gets fri-x), and after the last 
decapsulation query gets £(s)) will learn the representation of elements £r(e i), 

(e 2 ) , • • • from the target group. One can show that just from observing IF' a oracle 
queries, Q can assign to each e* an equation e* = a, + 6, ■ x + c, ■ s + d n ■ s 2 
where it knows the coefficients aj,6j,Cj,dj £ Z p . Similarly, for representations 
£( e i)>£( e 2 ), ••• of elements in the base group that IF learns, Q can extract a - L , b, 
such that ei = ai +bi ■ s. To get an idea why this is the case, consider, e.g., the 
case where T makes a query £t(v ■ w ) <— Oe^n), £(«;)). If £(u) (same for £(«;)) 
was never seen before, Q first calls OorAfiv)) to learn v. (Recall that Q is in the 
extended GBG model.) Now Q knows a, b , o', b’ s.t. v = a + b- s and w = a’ + b’ ■ s, 
which implies v ■ w = a" + b" ■ x + c" • s + d" ■ s 2 with a" = a + a', b" = 0, c" = 
a ■ V + a’ ■ b, d" = b ■ V. 

Recall that .Ps goal is to distinguish the decapsulated key frix ■ s) from a ran- 
dom element. If T has advantage e in doing so, it actually must compute the ele- 
ment £t(x • s ) with probability e. Which means we learn a, b, c, d such that 

x ■ s = a + b ■ x + c ■ s + d ■ s 2 , (2) 

this can be solved for s or x (or both). Thus Q will learn the discrete log of f(y) 
with probability at least e/2 (as we initially randomly set t;(y) = s or f(y) = x). 
CCLA1 security of BEG* . The proof in the case of leakage attacks is more del- 
icate. In a CCLA1 attack, with the ith decapsulation query, the adversary IF also 
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learns the output of the leakage functions fi, gi. If we had no upper bound on the 
output length of those functions, then fi and gi could just leak f (R,,) and f(x — R.,) 
respectively, from which T then could first compute the secret key f(x) and then 
£r (x-s). In this case, the reduction Q does not learn an equation of the form eq . Q ■ 
but only the trivial equality x ■ s = x ■ s. We will prove that if the leakage bound 
A <C log p/2, then the leakage functions will not leak any representation of an 
element to T that T could not efficiently compute itself. 

To see this, let us first make the simplifying assumption that the leakage func- 
tions fi, gi are not given access to the group oracles 0,0 e , Ot ■ Then all the leakage 
functions can try to do, is to leak some element they get as input. Consider any 
such element, say £(Aj). As £(/?,) is only given as input to fi- 1 and fy, at most 2A 
bits about this element can leak. If 2 A <C logp, then T will have high min-entropy 
about f{Rj) even given this 2A bits of leakage. Thus it is very unlikely that it can 
guess £(Ri). 

Now consider the general case, where the leakage functions can use the group 
oracles. Now the leakage functions can trivially leak the representation of some 
group element, say fy, f%, . . . all use O to compute £(z) for some fixed z and each 
leaks A bit of f(z) until T learns the entire £(a). Now T does get the representa- 
tion of an element f(a) without receiving it from the group oracles, but that is no 
problem, as Q will know an a, b such that a + b- s = z (namely a = z and 6 = 0), 
and that’s all we care about. 

Now the fi leakage function (similarly for gi) can use their input £(i?,_i ) to 
compute elements f(z) where Q only knows a, b (where 6 fy 0) such that z = 
a + b ■ ro- We call such a representation “bound” (as opposed to “free” repre- 
sentations f(z) where Q trivially learns z by just observing fy’ s oracle queries). It 
would be a problem if a bound representation could leak to T. As said before, the 
fy’s can trivially leak 2A bits about a bound element, as, e.g., fy_i and fy have ac- 
cess to £(-R,) (recall that A, = J2}=o r j where each r 3 is uniformly random). But 
it is not clear how any other leakage function fy (J fy {i L , i}) would compute 
the element £(Ri) or any other element derived from it; since the sharings are ran- 
domized during each invocation, the values £(ify_ i), r 3 that fy has are completely 
independent of Ri (and thus £(/?,)). In fact, we show that if T manages to choose 
leakage functions such that the same bound element is computed by fi and fy 
(where j > i + 1) with probability e, then T can be used to solve the discrete log- 
arithm problem with probability e/2 2X q. The idea is to use the discrete logarithm 
challenge f(y) as f(r 3 ) for a random j. Note that to simulate the experiment, Q 
only needs f(r 3 ) not r 3 , except to compute the 2 A bits of leakage from the jth de- 
capsulation query. (As here the leakage functions fy , g 3 expect r 3 as input.) We 
let Q randomly guess this leakage, which will be correct with probability 2 _2 \ 
Now assume we have two identical bound elements f(z) computed by fy/ and fy// 
where i" > i' + 1. As this query was made by fy' , and up to this point Q only used 
ro , . . . , ry that it sampled himself, he will know z. As this query was also made by 
i", Q learns a, b fy 0 such that z = a + b ■ r 3 , and thus can solve this equality to 
get rj. 


610 


E. Kiltz and K. Pietrzak 


References 

1. Abdalla, M., Bellare, M., Rogaway, P.: The oracle Diffie-Hellman assumptions and 
an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, p. 
143. Springer, Heidelberg (2001) 

2. Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous hardcore bits and 
cryptography against memory attacks. In: Reingold, O. (ed.) TCC 2009. LNCS, 
vol. 5444, pp. 474-495. Springer, Heidelberg (2009) 

3. Alwen, J., Dodis, Y., Naor, M., Segev, G., Walfish, S., Wichs, D.: Public-key en- 
cryption in the bounded-retrieval model. In: Gilbert, H. (ed.) EUROCRYPT 2010. 
LNCS, vol. 6110, pp. 113-134. Springer, Heidelberg (2010) 

4. Alwen, J., Dodis, Y., Wichs, D.: Leakage-resilient public-key cryptography in the 
bounded-retrieval model. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 
36-54. Springer, Heidelberg (2009) 

5. Barak, B., Shaltiel, R., Wigderson, A.: Computational analogues of entropy. In: 
RANDOM-APPROX, pp. 200-215 (2003) 

6. Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: 
Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513-525. Springer, Hei- 
delberg (1997) 

7. Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with con- 
stant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, 
pp. 440-456. Springer, Heidelberg (2005) 

8. Boneh, D., De Millo, R.A., Lipton, R.J.: On the importance of checking crypto- 
graphic protocols for faults (extended abstract). In: Fumy, W. (ed.) EUROCRYPT 
1997. LNCS, vol. 1233, pp. 37-51. Springer, Heidelberg (1997) 

9. Brakerski, Z., Kalai, Y.T., Katz, J., Vaikuntanathan, V.: Overcoming the hole in 
the bucket: Public-key cryptography resilient to continual memory leakage. In: 51st 
FOCS. IEEE Computer Society Press, Los Alamitos (2010) 

10. Cash, D., Ding, Y.Z., Dodis, Y., Lee, W., Lipton, R.J., Walfish, S.: Intrusion-resilient 
key exchange in the bounded retrieval model. In: Vadhan, S.P. (ed.) TCC 2007. 
LNCS, vol. 4392, pp. 479-498. Springer, Heidelberg (2007) 

11. Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counter- 
act power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, 
pp. 398-412. Springer, Heidelberg (1999) 

12. Clavier, C., Joye, M.: Universal exponentiation algorithm. In: Ko§, Q.K., Naccache, 
D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 300-308. Springer, Heidelberg 
(2001) 

13. Di Crescenzo, G., Lipton, R.J., Walfish, S.: Perfectly secure password protocols in 
the bounded retrieval model. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, 
vol. 3876, pp. 225-244. Springer, Heidelberg (2006) 

14. Dodis, Y., Goldwasser, S., Kalai, Y.T., Peikert, C., Vaikuntanathan, V.: Public- 
key encryption schemes with auxiliary inputs. In: Micciancio, D. (ed.) Theory of 
Cryptography. LNCS, vol. 5978, pp. 361-381. Springer, Heidelberg (2010) 

15. Dodis, Y., Haralambiev, K., Lopez-Alt, A., Wichs, D.: Cryptography against contin- 
uous memory attacks. In: 51st FOCS. IEEE Computer Society Press, Los Alamitos 
(2010) 

16. Dodis, Y., Haralambiev, K., Lopez-Alt, A., Wichs, D.: Efficient public-key cryptog- 
raphy in the presence of key leakage. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, 
vol. 6477, pp. 595-612. Springer, Heidelberg (2010) 



Leakage Resilient ElGamal Encryptic 


611 


17. Dodis, Y., Kalai, Y.T., Lovett, S.: On cryptography with auxiliary input. In: 41st 
ACM STOC. ACM Press, New York (2009) 

18. Dodis, Y., Pietrzak, K.: Leakage-resilient pseudorandom functions and side-channel 
attacks on feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 
21-40. Springer, Heidelberg (2010) 

19. Dziembowski, S.: Intrusion-resilience via the bounded-storage model. In: Halevi, S., 
Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 207-224. Springer, Heidelberg 
(2006) 

20. Dziembowski, S.: On forward-secure storage (extended abstract). In: Dwork, C. 
(ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 251-270. Springer, Heidelberg (2006) 

21. Dziembowski, S., Maurer, U.M.: Optimal randomizer efficiency in the bounded- 
storage model. Journal of Cryptology 17(1), 5-26 (2004) 

22. Dziembowski, S., Pietrzak, K.: Intrusion-resilient secret sharing. In: 48th FOCS, pp. 
227-237. IEEE Computer Society Press, Los Alamitos (2007) 

23. Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: 49th FOCS, pp. 
293-302. IEEE Computer Society Press, Los Alamitos (2008) 

24. El Gamal, T.: On computing logarithms over finite fields. In: Williams, H.C. (ed.) 
CRYPTO 1985. LNCS, vol. 218, pp. 396-402. Springer, Heidelberg (1986) 

25. Faust, S., Kiltz, E., Pietrzak, K., Rothblum, G.N.: Leakage-resilient signatures. 
In: Micciancio, D. (ed.) Theory of Cryptography. LNCS, vol. 5978, pp. 343-360. 
Springer, Heidelberg (2010) 

26. Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: Concrete results. 
In: Koq, Q.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251- 
261. Springer, Heidelberg (2001) 

27. Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: One-time programs. In: Wagner, D. 
(ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 39-56. Springer, Heidelberg (2008) 

28. Goldwasser, S., Rothblum, G.N.: Securing computation against continuous leakage. 
In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 59-79. Springer, Heidelberg 
( 2010 ) 

29. Alex Halderman, J., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calan- 
drino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold- 
boot attacks on encryption keys. ACM Commun. 52(5), 91-98 (2009) 

30. Harnik, D., Naor, M.: On everlasting security in the hybrid bounded storage model. 
In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. Part II 
LNCS, vol. 4052, pp. 192-203. Springer, Heidelberg (2006) 

31. Hastad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from 
any one-way function. SIAM Journal on Computing 28(4), 1364-1396 (1999) 

32. IEEE P1363a Committee. IEEE P1363a / D9 — standard specifications for public 
key cryptography: Additional techniques (June 2001), 
http://grouper.ieee.org/groups/1363/index.html/ draft Version 9 

33. Juma, A., Vahlis, Y.: Protecting cryptographic keys against continual leakage. In: 
Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 41-58. Springer, Heidelberg 
( 2010 ) 

34. Katz, J., Vaikuntanathan, V.: Signature schemes with bounded leakage resilience. 
In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 703-720. Springer, 
Heidelberg (2009) 

35. Koblitz, N., Menezes, A.J.: Another look at generic groups. Advances in Mathemat- 
ics of Communications 1, 13-28 (2007) 

36. Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and 
other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104-113. 
Springer, Heidelberg (1996) 


612 


E. Kiltz and K. Pietrzak 


37. Kocher, P.C., Jaffe, J.: Leak-Resistant Cryptographic Method and Apparatus. 
United States Patent 6304658 B1 (October 16, 2001) 

38. Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) 
CRYPTO 1999. LNCS, vol. 1666, pp. 388-397. Springer, Heidelberg (1999) 

39. Maurer, U.M.: A provably-secure strongly-randomized cipher. In: Damgard, L (ed.) 
EUROCRYPT 1990. LNCS, vol. 473, pp. 361-373. Springer, Heidelberg (1991) 

40. Micali, S., Reyzin, L.: Physically observable cryptography (extended abstract). In: 
Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278-296. Springer, Heidelberg 
(2004) 

41. Naor, M., Segev, G.: Public-key cryptosystems resilient to key leakage. In: Halevi, 
S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 18-35. Springer, Heidelberg (2009) 

42. Nechaev, V.I.: Complexity of a determinate algorithm for the discrete logarithm. 
Mathematical Notes 55(2), 165-172 (1994) 

43. European Network of Excellence (ECRYPT). The side channel cryptanalysis 
lounge, http: //www. crypto . ruhr-uni-bochiim.de/en_sclouiige.html (retrieved 
on March 29, 2008) 

44. Pietrzak, K.: A leakage-resilient mode of operation. In: Joux, A. (ed.) EURO- 
CRYPT. LNCS, pp. 462-482. Springer, Berlin (2009) 

45. Quisquater, J.-J., Samyde, D.: Electromagnetic analysis (ema): Measures and 
counter-measures for smart cards. In: E-smart, pp. 200-210 (2001) 

46. Quisquater, J.-J., Koene, F.: Side channel attacks: State of the art (October 2002) 
[43] 

47. Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and 
chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, 
pp. 433-444. Springer, Heidelberg (1992) 

48. Certicom research, standards for efficient cryptography group (SECG) — sec 1: El- 
liptic curve cryptography (September 20, 2000), 
http://www.secg.org/secg_docs.htm version 1.0 

49. Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, 
W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256-266. Springer, Heidelberg 
(1997) 

50. Shoup, V.: ISO 18033-2: An emerging standard for public-key encryption (December 
2004), http://shoup.net/iso/std6.pdf (final Committee Draft) 

51. Standaert, F.-X., Pereira, O., Yu,Y., Quisquater, J.-J., Yung, M., Oswald, E.: Leak- 
age resilient cryptography in practice. Cryptology ePrint Archive, Report 2009/341 
(2009), http : / / eprint . iacr . org/ 

52. Trichina, E., Bellezza, A.: Implementation of elliptic curve cryptography with built- 
in counter measures against side channel attacks. In: Kaliski Jr., B.S., Kog, Q.K., 
Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 98-113. Springer, Heidelberg 
(2003) 

53. Vadhan, S.P.: On constructing locally computable extractors and cryptosystems in 
the bounded storage model. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, 
pp. 61-77. Springer, Heidelberg (2003) 


Efficient Public-Key Cryptography in the Presence of 
Key Leakage 


Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt, and Daniel Wichs 

New York University 

dodis@cs.nyu.edu, kkh@cs.nyu.edu, lopez@cs.nyu.edu, wichs@cs.nyu.edu 


Abstract. We study the design of cryptographic primitives resistant to a large 
class of side-channel attacks, called “memory attacks”, where an attacker can 
repeatedly and adaptively learn information about the secret key, subject only to 
the constraint that the overall amount of such information is bounded by some 
parameter l. Although the study of such primitives was initiated only recently 
by Akavia et al. 0, subsequent work already produced many such “leakage- 
resilient” primitives 148141421 . including signature, encryption, identification (ID) 
and authenticated key agreement (AKA) schemes. Unfortunately, every existing 
scheme, — for any of the four fundamental primitives above, — fails to satisfy at 
least one of the following desirable properties: 

- Efficiency. While the construction may be generic, it should have some effi- 
cient instantiations, based on standard cryptographic assumptions, and with- 
out relying on random oracles. 

- Strong Security. The construction should satisfy the strongest possible defi- 
nition of security (even in the presence of leakage). For example, encryption 
schemes should be secure against chosen ciphertext attack (CCA), while sig- 
natures should be existentially unforgeable. 

- Leakage Flexibility. It should be possible to set the scheme parameters so 
that the leakage bound £ can come arbitrarily close to the secret-key size. 

In this work we design the first signature, encryption, ID and AKA schemes 
which overcome these limitations, and satisfy all the properties above. Moreover, 
all our constructions are generic, in several cases elegantly simplifying and gen- 
eralizing the prior constructions (which did not have any efficient instantiations). 
We also introduce several tools of independent interest, such as the abstraction 
(and constructions) of true-simulation extractable NIZK arguments, and a new 
deniable DH-based AKA protocol based on any CCA-secure encryption. 


1 Introduction 

Traditionally, the security of cryptographic schemes has been analyzed in an idealized 
setting, where an adversary only sees the specified “input/output behavior” of a scheme, 
but has no other access to its internal secret state. Unfortunately, in the real world, 
an adversary may often learn some partial information about secret state via various 
key leakage attacks. Such attacks come in a large variety and include side-channel at- 
tacks 1141111 0I7I44I54I27I . where the physical realization of a cryptographic primitive 

M. Abe (Ed.): ASIACRYPT 2010, LNCS 6477, pp. 613 463 1 J 2010. 
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can leak additional information, such as the computation-time, power-consumption, ra- 
diation/noise/heat emission etc. The cold-boot attack of Halderman et al. Ell is another 
example of a key-leakage attack, where an adversary can learn (imperfect) information 
about memory contents of a machine, even after the machine is powered down. Schemes 
that are proven secure in an idealized setting, without key leakage, may become com- 
pletely insecure if the adversary learns even a small amount of information about the 
secret key. Indeed, even very limited leakage attacks have been shown to have devastat- 
ing consequences for the security of many natural schemes. 

Unfortunately, it is unrealistic to assume that we can foresee, let alone block, all of 
the possible means through which key leakage can occur in real-world implementations 
of cryptographic schemes. Therefore, the cryptographic community has recently ini- 
tiated the investigation of increasingly general (formally modeled) classes of leakage 
attacks, with the aim of constructing leakage-resilient cryptographic schemes that re- 
main provably secure even in the presence of such attacks. Of course, if an adversary 
can get unrestricted information about the secret key, then she can learn the key in its 
entirety and the security of the system is necessarily compromised. Therefore, we must 
first place some “upper bound” on the type or amount of information that the adversary 
can learn. The nature of such bounds varies in the literature, as we survey later. For this 
work, we only restrict the amount, but not the type, of information that an adversary can 
learn through a key-leakage attack. In particular, we will assume that the attacker can 
learn any efficiently computable function of the secret key sk, subject only to the con- 
straint that the total amount of information learned (i.e. the output size of the leakage 
function) is bounded by l bits, where l is called the “leakage parameter” of the systemQ 
Clearly, at this level of generality, the secret-key size s must be strictly greater than the 
leakage-parameter £0 Therefore, the quantity t/s can be thought as the relative leakage 
of the system, with the obvious goal to make it as close to 1 as possible. 

Our model of leakage-resilience was recently introduced by Akavia et al. Q, but 
already attracted a lot of attention from the cryptographic community II48I4I42I31 . In 
particular, as we survey later, we already know many “leakage-resilient” primitives, in- 
cluding such fundamental primitives as signature schemes, encryption schemes, 
identification (ID) schemes and authenticated key agreement (AKA) protocols. Unfor- 
tunately, we observe that every existing scheme, — for any of the four fundamental 
primitives above, — fails to satisfy at least one of the following desirable properties: 

- Efficiency. While the proposed construction may be based on some generic cryp- 
tographic primitives, — which is in fact preferable for modular design, — it should 
have some efficient instantiations, based on standard cryptographic assumptions, 
and without relying on random oracles. We view this property as the main property 
we will strive to achieve. 


1 More formally, we allow adaptive measurements, as long as the sum of leaked outputs is 
bounded by L. 

2 In fact, our actual constructions easily extend to the more general “noisy leakage” model of 
Naor and Segev ESI , where the outputs can be longer than s, as long as the “average min- 
entropy” of sk drops by at most l bits. However, we do not pursue this generalization, in order 
to keep our notation simple. 
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- Strong Security. The construction should satisfy the strongest possible definition 
of security (even in the presence of leakage). For example, encryption schemes 
should be secure against chosen ciphertext attack (CCA), while signatures should 
be existentially unforgeable, etc. 

- Leakage Flexibility. It should be possible to set the parameters of the schemes so 
that the relative leakage i/s is arbitrarily close to 1. We call such schemes leakage- 
flexible. 


1.1 Our Results 

In this work we design the first signature, encryption, ID and AKA schemes which 
simultaneously satisfy the efficiency, strong security and leakage flexibility properties 
mentioned above. Moreover, all our constructions are generic. This means that the ac- 
tual construction is modularly defined and explained using natural simpler blocks, and 
its security against key leakage is also proven no matter how these simpler blocks are 
(securely) implemented. However, unlike the prior generic constructions, which did not 
have any known efficient instantiations (at least, with the desired security and flexibil- 
ity we seek), ours are yet more general, which will allow us to obtain several efficient 
instantiations. Given this fact, it is not surprising that our contributions can be roughly 
split into two categories: “conceptual” contributions, allowing us to obtain more general 
(and, yet, conceptually simpler) leakage-resilient constructions, and “concrete” contri- 
butions, allowing us to instantiate our general schemes efficiently. 

Conceptual Contributions. As we will see, existing schemes (e.g., signature 
and CCA-encryption) could be largely divided into two categories: potentially efficient 
schemes, with some inherent limitation not allowing them to achieve relative leakage 
approaching 1 (which also prevents us from using these ideas for our purposes), and 
more theoretical schemes 14 814211 . achieving good relative leakage, but relying on the 
notion of simulation- sound non-interactive zero-knowledge (ss-NIZK) m . Informally, 
ss-NIZK proofs remain sound even if the attacker can see simulated proofs of arbitrary 
(even false) statements. Unfortunately, it appears that the existing cryptographic ma- 
chinery does not allow us to instantiate non-trivial ss-NIZK proofs efficiently!! On the 
other hand, a recent breakthrough result of Groth-Sahai 15511 showed that one can obtain 
efficient non-simulation-sound NIZK proofs for a non-trivial class of languages. While 
the techniques of ED could be applied to Groth-Sahai proofs to achiehve ss-NIZKs, 
it is a non-trivial “exercise” and the resulting proofs are significantly less efficient, as 
the construction involves OR-proofs for Groth-Sahai languages. Therefore, our first 
idea was to try to generalize the existing constructions sufficiently, making them rely 
only on regular NIZKs, in the hope that such NIZKs can then be instantiated using the 
powerful Groth-Sahai techniques. 

In the end, this is indeed what we realized. However, in the process we also ab- 
stracted away an elegant notion of independent interest: true-simulation extractable 
(tSE) NIZKs. While similar to the notion of simulation- sound extractable NIZKs 15TT . 

3 The work of I5TI constructs ss-NIZK proofs for practical languages and uses them to construct 
group signatures, but the resulting scheme has signature size of “thousands or perhaps even 
millions of group elements” E3 despite being constant. 
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it involves a subtle but rather important difference: whether the adversary has ora- 
cle access to simulated proofs for arbitrary (even false) statements or only true ones. 
Intuitively, both the Naor-Segev’s leakage-resilient CCA encryption K%ll and Katz- 
Vaikuntanathan’s leakage-resilient signature scheme 11421 used the technique of encrypt- 
ing a witness x for some relation R, and then providing a ss-NIZK proof tp that the 
ciphertext c indeed contains the encryption of a valid witness x. The main reason for 
using this technique is to allow the reduction to extract a valid witness from any “new” 
valid pair (c*, ip*) produced by the attacker A (who saw many such valid pairs ear- 
lier). In this paper, we will abstract this property into the tSE notion mentioned above 
(of which the above mentioned technique is a specific example, where the pair (c, ip) 
together makes up a single tSE-NIZK proof). Moreover, we show that true-simulation 
extractability, as we abstract it, is precisely the right notion for generalizing and proving 
the security of the previous constructions. This has two positive effects. First, it makes 
the generic constructions of CCA-encryption and signatures somewhat more intuitive, 
both for proving and understanding. For example, the traditional “double-encryption” 
paradigm of Naor-Yung PT9I for designing CCA-secure schemes from chosen-plaintext 
secure (CPA-secure) schemes, also used by iBSll in the context of key leakage, can be 
stated as “CPA-encrypting message m under two keys and proving plaintext equal- 
ity”. Using our more general “simulation-extractability view”, it is now stated as “CPA- 
encrypting m and proving that one knows the plaintext”. We believe that the latter 
view is not only more general, but also more intuitive as a way of explaining “CPA- 
to-CCA” transformation. It also follows the original intuition of Rackoff and Simon 
m, who combine CPA-encryption with NIZK-POK to achieve CCA-encryption, but 
in the model where the sender also has a secret key. A similar discussion is true for our 
signature constructions. 

Second, we show a generic way to build tSE-NIZKs which avoids using (expen- 
sive) ss-NIZKs. Instead, our method uses regular NIZKs and any CCA-secure encryp- 
tion scheme0 Perhaps surprisingly, given the current state-of-the-art NIZK and CCA 
schemes, the combination “CCA + NIZK” appears to be much more efficient in practice 
than the combination “CPA + ss-NIZK”0 As a result, we were able to provide a general 
framework for building leakage-flexible signature and CCA-encryption schemes, even- 
tually allowing us to efficiently instantiate our schemes (by avoiding using ss-NIZKs). 
We summarize our results for signature and CCA-encryption schemes in Tables[!]and|3 
also comparing them to the best prior constructions. In all the tables, the “sub-optimal” 
entries (for efficiency, security, model or relative leakage of prior constructions) are 
written in italics, and most prior rows are also explained in the related work Section IT"21 
For signatures, we stress that no efficient construction in the standard model was known 
prior to our work, for any non-trivial relative leakage fraction (let alone 1). 

Once we have efficient leakage-flexible signature schemes, we can obtain ID and 
AKA schemes with the same properties. The signature-based AKA protocol is not de- 
niable. However, we also construct a deniable AKA protocol based on our construction 


4 This is OK for the signature application, but might appear strange for our CCA-encryption 
application, as we need “CCA to get CCA”. However, as a building block for tSE-NIZKs, we 
only need standard CCA schemes and as a result obtain leakage-resilient CCA schemes. 

5 Indirectly, the same realization was made by Groth E21 and Camenisch et al. m 
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Table 1. Previous work on leakage-resilient signatures and results of this work 


Reference 

Unforgeability 

Model 

Leakage 

Efficient? 

i) 

Existential 

Random Oracle 

1/2 

Yes 

& 

Entropic 

Random Oracle 

1 

Yes 

IR2I 

Existential 

Standard 

1 

No 

This Work 

Existential 

Standard 

1 

Yes 


Table 2. Previous work on leakage-resilient encryption and results of this work 


Reference 

Attack 

Model 

Leakage 

Efficient? 

1121481 

CPA 

Standard 

1 

Yes 

EH 

CCA 

Standard 

1/6 

Yes 

EH 

CCA 

Standard 

1 

No 

This Work 

CCA 

Standard 

1 

Yes 


Table 3. Previous work on leakage-resilient identification schemes and results of this work 


Reference 

Security 

Model 

Leakage 

Efficient? 

a 

Pre-Impersonation 

Standard 

1 

Yes 

m 

Anytime 

Standard 

1/2 

Yes 

H3 (implicit) 

Anytime 

Standard 

1 

No 

This Work 

Anytime 

Standard 

1 

Yes 


Table 4. Previous work on leakage-resilient AKA and results of this work 


Reference 

Model 

Leakage 

Deniable? 

Efficient? 

a 

Random Oracle 

1 

No 

Yes 


Standard 

1 

No 

No 

This Work 

Standard 

1 

No/Yes * 

Yes 


* Our first AKA protocol is not deniable; our second — is. 


of leakage-flexible CCA-secure encryption. We summarize our results for ID schemes 
in Table Eland for AKA protocols in Tabled See Section 0for details. 

Concrete Contributions. As we explained above, we genetically reduce the 
question of building efficient leakage-flexible ID schemes and AKA protocol to the 
question of efficiently instantiating our leakage-flexible signature and/or encryption 
schemes. Such instantiations are given in Section El We also explained how the lat- 
ter instantiations became possible in our work, since we gave generic constructions of 
both primitives based on the new notion of tSE-NIZK, and then showed that satisfying 
this notion may be possible using ordinary NIZKs for appropriate languages, without 
relying on the expensive simulation-sound NIZKs. Unfortunately, efficient construc- 
tion of (even ordinary) NIZKs, due to Groth and Sahai m , are only known for a pretty 
restrictive class or languages in bilinear groups. Thus, obtaining a concrete efficient 
instantiation still requires quite a substantial effort. 
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Specifically, all the building blocks have to be instantiated efficiently, and expressed 
in a form such that the resulting NP relation satisfies the severe limitations imposed by 
the Groth-Sahai NIZKs. For example, to build leakage-resilient CCA-encryption, we 
need to have an efficient leakage-flexible CPA scheme, a CCA scheme supporting la- 
bels and a one-time signature scheme, all connected together by an efficient NIZK for 
a complicated “plaintext equality” relation. Similarly, for leakage-resilient signature 
schemes, we need an efficient second-preimage resistant (SPR; see Definition QJ rela- 
tion and a CCA scheme supporting labels, once again connected by an efficient NIZK 
for a complex relation. Not surprisingly, such tasks cannot typically be done by simply 
combining “off-the-shelf” schemes from the literature. At best, it requires very careful 
selection of parameters to make everything “match”, followed by a round of further ef- 
ficiency optimizations. Usually, though, it requires the design of new primitives, which 
work well with other known primitives, to enable efficient NIZK. For example, in this 
work, we designed two new SPR relations (see Section 0), since prior SPR relations 
did not appear to mesh well with our CCA encryption scheme. To emphasize the im- 
portance of the new SPR relations, we point out that combining previous constructions 
with Groth-Sahai proofs would require committing to the witness bit-by-bit in order to 
achieve full extractability. 

Overall, we get two different efficient instantiations of both leakage-resilient signa- 
ture and CCA encryption schemes in the standard model, based on standard (static and 
“fixed-length”) assumptions in bilinear groups, called external Diffie-Hellman (SXDH) 
and Decision Linear (DLIN). The high-level idea of these schemes, as well as their effi- 
ciency, is described in Sectional The actual low-level details of how to put “everything 
together” in the most efficient manner, is described in the full version llTSfl . 

1.2 Related Work 

Leakage-Resilience and Memory Attacks. Our model of leakage, sometimes 
called memory-attacks, was first proposed by Akavia et al. Q, who also constructed 
CPA secure PKE and IBE schemes in this model under the learning with errors (LWE) 
assumption. Later Naor and Segev E%1 generalized the main ideas behind these con- 
structions to show that all schemes based on hash proof systems (see lfT31 ) are leakage- 
resilient. In particular, this resulted in efficient constructions based on the DDH and 
IT-Linear assumptions, where the relative leakage on the secret key could be made to 
approach 1. Moreover, B%l showed how to also achieve CCA security in this model 
by either: (1) relying on the generic (and inefficient) Naor- Yung paradigm where the 
leakage-rate can be made to approach 1 or (2) using efficient hash proof systems with 
leakage-rate only approaching 1/6. Unfortunately, it seems that the hash proof system 
approach to building CCA encryption is inherently limited to leakage-rates below 1/2: 
this is because the secret-key consists of two components (one for verifying that the 
ciphertext is well-formed and one for decrypting it) and the proofs break down if ei- 
ther of the components is individually leaked in its entirety. The work of m generalizes 
HU still further by showing how to construct leakage-resilient IBE schemes generically 
based on identity-based hash proof systems, with several instantiations. 

Leakage-resilient signature schemes in the model of memory attacks were constructed 
in the random-oracle model by I4E21 . and in the standard model by |03- The 
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random-oracle schemes are highly-efficientbut suffer from two limitations. Firstly they 
rely on the Fiat-Shamir Ell transform which is only known to be secure in the Random 
Oracle model and is not sound in general lITUI . Secondly, the schemes can only tolerate 
leakage which approaches 1 /2 of the secret key. On the other hand, the standard-model 
schemes allow for relative-leakage approaching 1, but are based on generic simulation- 
sound NIZKs and do not come with an efficient instantiation. 

The work of 0 also constructs ID schemes and AKA protocols. For ID schemes, two 
notions of security were considered: a weaker notion called pre-impersonation leakage- 
resilience and a stronger notion called anytime leakage-resilience. Although efficient 
schemes in the standard model were given for both notions, the leakage resilience could 
be made to approach 1 only for pre-impersonation leakage while, for anytime leakage, 
the given schemes can only tolerate a leakage-rate below 1/2. For AKA schemes, a 
construction was given based on leakage-resilient signatures (only requiring a weak- 
ened notion of security called entropic-unforgeability). Using the appropriate signature 
schemes, this yielded two types of constructions: efficient constructions in the random- 
oracle model and generic but inefficient constructions in the standard model (both of 
which have leakage-rates approaching 1). 

Other models of leakage-resilience. Several other models of leakage-resilience 
have appeared in the literature. They differ from the model we described in that they 
restrict the type, as well as amount, of information that the adversary can learn. For ex- 
ample, exposure resilient cryptography 11121201411 studies the case where an adversary 
can only learn some small subset of the physical bits of the secret key. Similarly, EBI 
studies how to implement arbitrary computation in the setting where an adversary can 
observe a small subset o the physical wires of a circuit. Most recently, EH study a sim- 
ilar problem, where the adversary can observe a low-complexity (e.g. AC 0 ) function 
of the wires. Unfortunately, these models fail to capture many meaningful side-channel 
attacks, such as learning the hamming-weight of the bits or their parity. 

In their seminal work, Micali and Reyzin iPT^il initiated the formal modeling of side- 
channel attacks under the axiom that “only computation leaks information ” (OCLI), 
where each invocation of a cryptographic primitive leaks a function of only the bits ac- 
cessed during that invocation. Several primitives have been constructed in this setting 
including stream ciphers 12215 311 and signatures El- More recently, iBTHl construct a 
general compiler that can secure all primitives in this setting assuming the use of some 
limited leak-free components and the existence of fully homomorphic encryption. On 
the positive side, the OCLI model only imposes a bound on the amount of information 
learned during each invocation of a primitive, but not on the overall amount of infor- 
mation that the attacker can get throughout the lifetime of the system. On the negative 
side, this model fails to capture many leakage-attacks, such as the cold-boot attack of 
1531 . where all memory contents leak information, even if they were never accessed. 

Lastly, we mention models of leakage-resilience which are strictly stronger than the 
memory-attacks model. Firstly, the Bounded-Retrieval Model II16I21I4I3I imposes an 
additional requirement on leakage-resilient schemes, by insisting that they provide a 
way to “grow” the secret-key (possibly to many Gigabytes) so as to proportionally 
increase the amount of tolerated leakage, but without increasing the size of the public- 
key, the computational or communication efficiency of the scheme, or the lengths of the 
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ciphertexts or signatures. The work of ® constructs “entropic” signatures, ID schemes 
and AKA protocols in this setting, while the work of m constructs PKE and IBE 
schemes in this model. A different strengthening is the auxiliary input model from 
where the leakage is not necessarily bounded in length, but it is (only) assumed to be 
computationally hard to recover the secret-key from the leakage. The work of 01 con- 
structs symmetric-key encryption in this model, under a strengthening of the learning 
parity with noise (LPN) assumption, while o constructs public-key encryption un- 
der the DDH and LWE assumptions. Yet another strengthening of the memory-attacks 
model, proposed by ESI, is to require that there is a single scheme (parameterized only 
by the security parameter) which can tolerate essentially any amount of relative-leakage 
where the exact- security of the scheme degrades smoothly as the relative-leakage in- 
creases. In this model, El construct a symmetric-key encryption scheme. 

2 Definitions of Leakage-Resilient Primitives 

We model leakage attacks by giving the adversary access to a leakage oracle, which 
he can adaptively access to learn leakage on the secret key. A leakage oracle j. (•) is 
parametrized by a secret key sk, a leakage parameter £, and a security parameter A. A 
query to the leakage oracle consists of a function hi : {0, 1}* — > {0, 1}“\ to which the 
oracle answers with yi = hfsk). We only require that the functions hi be efficiently 
computable, and the total number of bits leaked is JA on < i. 

Definition 1 (Leakage Resilient Hard Relation). A relation R with a randomized 
PPT sampling algorithm KeyGen is an ^-leakage resilient hard relation if: 

- For any ( sk,pk ) <— KeyGen(l A ), we have ( sk,pk ) £ R. 

- There is a poly-time algorithm that decides if (sk, pk) £ R. 

- For all PPT adversaries A°A (■) with access to the leakage oracle 0^ k (■)•' 

Pr ^R(sk*,pk) = 1 | (pk,sk) <— KeyGen(l A ) , sk* <— A° ak ^(pfc)J A negl(X) 
Notice that without loss of generality, we can assume that A queries 0\.' k (■) only 
once with a function h whose output is t bits. 

Definition 2 (Leakage Resilient Signatures). A signature scheme S = (KeyGen, Sign, 
SigVer) is ^-leakage resilient i/ V PPT A we have Pr[A wins] < negl(X) in the fol- 
lowing game: 

1. Key Generation: The challenger runs ( vk , sk) *— KeyGen(l A ) and gives vk to A. 

2. Signing and leakage queries: A°A AAbA-) is given access to the leakage oracle 
0% (■) and the signing oracle S s k(-). A query to the signing oracle S s k(-) consists 
of a message m, to which the oracle responds with a = Sign sfc (m). 

3. A outputs ( m*,o *) and wins if SigVer vk (m* , a* ) = 1 and to* was not given to 
S sk (-) as a signing query. 

Definition 3 (Leakage Resilient CCA-Secure Encryption). We say that an encryp- 
tion scheme £ = (KeyGen, Enc, Dec) is ^-leakage resilient CCA-secure i/V PPT A we 
have Pr[A wins] < | + negl(A) in the following game: 
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1. Key Generation: The challenger runs ( pk , sk) <— KeyGen(l A ) and gives pk to A. 

2. Decryption and leakage queries: (■)>©«*(■) i s given access to the leakage 

oracle 0\)' k (•) and the decryption oracle V S A:)- A query to the decryption oracle 
T> s k{') consists of a ciphertext c, to which the oracle responds with m = Dec s fc(c). 

3. Challenge generation: A sends plaintexts mo, mi to the challenger. The chal- 
lenger chooses b <^- {0, 1 }, and sends c* <— En c p k(mb) to A. 

4. Decryption queries: A^ sk ^ is given access to the decryption oracle V s k{-) with 
the restriction that A cannot send c* as a decryption query. Notice also that AP sk ^ 
is not given access to the leakage oracle 0^ k (•). 

5. A outputs b', and wins ifb = b'. 

We refer to a O-leakage-resilient CCA-secure as simply CCA-secure. 

Recall that we can define labeled CCA encryption in which a message is encrypted 
and decrypted according to a public label L. If an encryption scheme £ = (KeyGen, Enc, 
Dec) supports labels, we use the syntax Enc L (m) to denote the encryption of message 
m under label L. Similarly, we use Dec L (c) to denote the decryption of ciphertext c 
under the label L. In this case, we extend the correctness of encryption/decryption to 
requiring that Dec L (Enc L (m)) = m. The security definition described in Definitional 
can also be easily modified as follows. A query to the decryption oracle now consists 
of a ciphertext c and a label L, to which the oracle responds with m = Dec^. (c). In 
the challenge generation stage, A submits a label L* as well as messages mo, toi and 
the challenger computes c* «— Enc^ (to;,) for b {0, 1}. Finally, in the second stage 
of decryption queries we require that the adversary is allowed to ask for decryptions of 
any ciphertext c under label L only subject to (L, c ) f (L* , c*). 

Definition 4 (Leakage Resilient CPA-Secure Encryption). We say that an encryption 
scheme £ = (KeyGen, Enc, Dec) is ^-leakage resilient CPA-secure iff PPT A we have 
Pr[A wins ] < | + negl(X) in the game described above with the modification that 
A does not have access to the decryption oracle 'D s k{')- If an encryption scheme is 
O-leakage-resilient CPA-secure we simply refer to it as being CPA secure. 

3 Simulation Extractability 

We start by briefly recalling the notion of non-interactive zero-knowledge (NIZK) Q. 
For our purposes, it will be slightly more convenient to use the notion of (same-string) 
NIZK argument from El- Note, however, that the definitions and constructions given 
in this section can be extended to the case of NIZK proofs. 

Let R be an NP relation on pairs ( x , y) with corresponding language Lr = {y 3x 
s.t. (a:, y) £ R} . A non-interactive zero-knowledge (NIZK) argument for a relation R 
consists of three algorithms (Setup, Prove, Verify) with syntax: 

- (CRS , tk) <— Setup(l A ) : Creates a common reference string (CRS) and a trapdoor 
key to the CRS. 

- 7r <— Prove CRS (x, y): Creates an argument that R(x, y) = 1. 

- 0/1 •*— Verify CRS (?/, 7r): Verifies whether or not the argument n is correct. 

For the sake of clarity, we write Prove, Verify without the CRS in the subscript when 
the CRS can be inferred from the context. We require that the following properties hold: 
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Completeness: For any ( x,y ) £ R, if (crs,tk) <t— Setup(l A ) , 7 r <— Prove(a;,y), 
then Verify(y, 7r) = 1. 

Soundness: ForanyPPT adversary „4, Pr[Verify(j/, 7r*) = 1 A y £ L R ] < negl(X), 
where the probability is taken over (CRS, tk) <— Setup(l A ), (y. it*) <— A(CRS). 
Composable Zero-Knowledge: There exists PPT simulator Sim such that, for any 
PPT adversary A we have |Pr[.A wins ] — || < negl{A ) in the following game: 

- The challenger samples (CRS, tk) <— Setup(l A ) and gives (CRS, tk) to A. 

- A chooses (x, y) £ R and gives these to the challenger. 

- The challenger samples 7To <— Prove(a;, y), ni <— Sim(y, tk), 6 <— {0, 1} and 
gives 7Tb to A. 

- A outputs a bit b and wins if b = b. 

We revisit the notion of simulation extractable NIZK arguments 15811315(1511311 . and 
define a new primitive called true-simulation extractable NIZK arguments. Apart from 
satisfying the properties described above, an NIZK argument is simulation extractable 
if there exists a PPT extractor Ext which given an additional trapdoor to the CRS, ex- 
tracts a witness x' from any proof 7r produced by a malicious prover P*, even if P* 
has previously seen some simulated proofs for other statements. We make an impor- 
tant distinction between our new definition of frne-simulation extractability, where all 
simulated proofs seen by P* are only of true statements, and the stronger notion of any- 
simulation extractability, where P* can also see proofs of false statements. As we will 
see, the former notion is often simpler to construct and sufficient in our applications. 

We extend our definition to f -extractability, where Ext only needs to output some 
function f(x') of a valid witness x' . We further extend this definition to support la- 
bels, so that the Prove, Verify, Sim, and Ext algorithms also take a pubhc label L as 
input, and the correctness, soundness, and zero-knowlegde properties are updated ac- 
cordingly. If II = (Setup, Prove, Verify) is an NIZK argument with simulator Sim 
and extractor Ext, we write Prove L , Verif y L , Sim L , Ext L to denote proof, verifica- 
tion, simulation, and extraction under label L, respectively. 

We start by defining a simulation oracle SIM TK (-)- A query to the simulation oracle 
consists of a pair (a;, y) and a label L. The oracle checks if (x, y) £ R. If true, it ignores 
x and outputs a simulated argument Sim L (TK, y), and otherwise outputs _L. We now 
give a formal definition of true-simulation extractability. 

Definition 5 (True-Simulation /-Extractability). Let f be a fixed efficiently com- 
putable function and let II = (Setup, Prove, Verify) be an NIZK argument for a re- 
lation R, satisfying the completeness, soundness and zero-knowledge properties above. 
We say that II is true-simulation /-extractable (f-tSE) with labels if: 

- Apart from outputting a CRS and a trapdoor key, Setup also outputs an extraction 
key: (CRS, tk, ek) <- Setup(l A ). 

- There exists a PPT algorithm Ext(y, tp, ek) such that for all P*, Pr[P* wins] < 
negl( A) in the following game: 

1. Key Generation: The challenger runs (CRS, tk, ek) <— Setup(l A ) and gives 
CRS to P*. 

2. Simulation queries: p*siMtk{) ; - y gt ven access to the simulation oracle 
SIMtk(-), which it can adaptively access. 
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3. Adversary Output: P* outputs a tuple ( y*,L*,ip *). 

4. Extraction: The challenger runs z* Ext L (y* , p*,EK). 

5. P* wins if (a) the pair (y* , L*) was not part of a simulator query, (b) 
Verify 1, ( y*,jp *) = 1, and (c) for all x' such that f(x') = z* we have 
R{x',y*) = 00 

In the case when f is the identity function, we simply say that II is true-simulation 
extractable (tSE). 

We give several variations of this new primitive. First, we define one-time simulation 
extractability, in which the adversary P* is only given a single query to the simula- 
tion oracle SIMik(-). Second, we define the notion of strong simulation extractability 
by changing the winning condition so that P* is now required to output a new state- 
ment/argument pair instead of a new statement. More formally, condition I5al becomes: 
the tuple ( y*,L *, ip*) is new, that is, either ( y*,L *) was not part of a simulator query, or 
if it was, the argument p* is different from the one(s) given to P* by SIM. TK ( ■ ) . We ob- 
serve that we can generically construct strong /- tSE NIZK arguments from (standard) 
/- tSE NIZK arguments if we additionally use a strongly-secure one-time signature. In 
particular, the prover now computes the standard /- tSE argument, signs it, and attaches 
the verification key vk to the public label. To verify, we first check that the signature is 
valid and then verify the /- tSE argument. 

Finally, we say that an NIZK argument II is any-simultation f -extractable (f-aSE) 
(similar to the notion of simulation-sound extractability of ren t if the adversary P* 
instead has access to a modified simulation oracle SIM TK (-) that responds to all simu- 
lation queries without checking that R(x, y) = 1 (and hence might also give simulated 
arguments of false statements). In this work we do not make use of this variation, but 
state it here because as we will see, this notion has been implicitly used in prior works. 
However, /- aSE is a stronger notion than /- tSE and is not needed, as we will show that 
/- tSE is sufficient in constructing leakage-resilient signatures and CCA-encryption. 

4 Generic Constructions 

In this section we give generic constructions of leakage-resilient hard relations, signa- 
tures, and CCA-secure encryption. In the latter two we use the /- tSE NIZK primitive 
that we defined in Sectional Finally, we give a construction of /- tSE NIZK arguments. 
Leakage-Resilient Hard Relations. We begin by showing how to generically 
construct leakage-resilient hard relations from SPR relations. Informally, we say that a 
relation R is second-preimage resistant ( SPR ) if given a random (x, y) £ R it is difficult 
to find x' x such that (x', y) 6 R. We formalize this in the following definition. 
Definition 6 (Second-Preimage Resistant (SPR) Relation). A relation R with a ran- 
domized PPT sampling algorithm KeyGen is second-preimage resistant if: 

- For any ( x , y) <— KeyGen(l A ), we have (x, y) £ R. 

- There is a poly -time algorithm that decides if {x , y) £ R. 

6 In other words, the adversary wins if the extractor fails to extract a good value z* which 
corresponds to at least one valid witness x'; i.e. f{x') = z*. For the identity function, f(x) = 
x, this corresponds to the statement: R{z* ,y) = 0. 
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- For any PPT algorithm A, Pr[(a ■ ,y) £ R Ax' ^ x] < negl(X), where the proba- 
bility is taken over ( x , y ) <— KeyGen(l A ), x ' <— A(x, y). 

We define the average-case pre-image entropy of the SPR relation to be H avg (R) = 
Hoo (X | Y) , where random variables ( X , Y) are distributed according to KeyGenfl A ). 
(We refer the reader to the full version MAI for the definition of H oc (X | Y).) 
Theorem 1. If R(x,y) is an SPR relation, then it is also an (-leakage resilient hard 
relation for I = H av;j (R) — tu(log A), where A is the security parameter. 

Leakage-Resilient Signatures. We give a generic construction of leakage- 
resilient signatures based on leakage-resilient hard relations and tSE-NIZK arguments. 
Let R(x,y ) be an 7-leakage resilient hard relation with sampling algorithm 
KeyGen ft (l A ). Let 77 = (Setup, Prove, Verify) be a tSE-NIZK argument for rela- 
tion R supporting labels. Consider the following signature scheme: 

- KeyGen(l A ) : Output sk = x and vk = (CRS, y) where 
(x,y) <- KeyGen R (l A ) , (CRS,TK,EK) <- Setup(l A ). 

- Sign sfc (m) : Output a = ip where ip <— Prove m (a;, y). (Note that m is the label.) 

- SigVer vk (m,o)\ Output Verify m (?/, o). 

Theorem 2. If R( x, y) is an I- leakage resilient hard relation and II is a labeled tSE- 
NIZK argument for R, then the above scheme is an I- leakage resilient signature scheme. 

Leakage-Resilient CCA-Secure Encryption. We give a generic construction 
of leakage-resilient CCA-secure encryption from leakage-resilient CPA-secure encryp- 
tion and strong /- tSE NIZK arguments. Let £ = (KeyGen, Enc, Dec) be an 7-LR-CPA 
secure encryption scheme and let TT = (Setup, Prove, Verify) be a one-time strong 
/- tSE NIZK argument for the relation R enc = { ( (to, r ) , (pk, c) ) | c = Enc p fe (m; r) } . 
where /(to, r) = to (i.e. the extractor only needs to extract the message to, but not the 
randomness r of encryption). We show how to use £. II to construct an 7-LR-CCA 
encryption scheme £*. Define £* = (KeyGen*, Enc*, Dec*) by: 

- KeyGen*(l A ): Output pk = (pk 0 , CRS), sk = skp where 

( pk 0 ,sk 0 ) <- KeyGen(l A ) , (CRS,TK,EK) «- Setup(l A ). 

- Enc* fc (m; r): Output C = (c, n) where 

c <- Enc pfeo (m; r) , n <- Pr o ve CRS ( (pk 0 , c ) , (m, r) ) . 

- Dec* fc ((7): Parse C = (c, 7r). If n verifies output Dec s ; = (c), else output _L. 

Theorem 3. Assume that £ is (-LR-CPA secure, and II is a strong one-time f-tSE 
NIZK argumentfor the relation R enc where, for any witness (m,r), we define f (to, r) = 
to. Then the scheme £* defined above is (-LR-CCA secure. 

We note that if the tSE NIZK construction allows labels, then we can naturally extend 
our construction above to yield a ALR-CCA encryption with labels, by simply putting 
the encryption labels into the NIZK proofs (and using them to verify the proofs). 
True-Simulation /-Extractable (/- tSE) NIZK. Let / be any efficiently com- 
putable function, and let R(x, y) be an NP relation. We show how to construct an /- tSE 
NIZK argument from any labeled CCA-secure encryption scheme, and (standard) 
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NIZK arguments. Let £ = (KeyGen, Enc,Dec) be a CCA-secure encryption scheme 
supporting labels, and let II = (Setup^, Prove/7, Verify^) be an NIZK argument 
for the relation R n = {( ( x , r), ( y , c,pk, L) ) \ R(x, y) = 1 A c = En c^ k (f{x)\ r)}. 
We define /- tSE NIZK argument I (supporting labels) as follows: 

- Setup(l A ) : Output CRS = (CRS n,pk), TK = TKjj, EK = sk where 
(pk,sk) <— KeyGen(l A ) , (CRSn,TKn) <— Setup n (l A ). 

- Prove i (a;, y\ r): Output ip = (c, 7 r) where 

c ^Enc p k (f{xy,r) , tt Pro ve n ((x,r),(y,c,pk,L)). 

- Verify L (y, p): Parse ip = (c, n) and run Verify i7 ((t/, c,pk,L), n). 

Theorem 4. If£ is a labeled CCA-secure encryption scheme and II is an NIZK argu- 
ment for relation Rn, then If is a f-tSE NIZK argument for relation R. 

Comparison of Our Generic Constructions to Prior Work. The idea of 
using an SPR relation to construct leakage-resilient hard relations was implicit in B4I42II , 
and explicitly described in Q for the case of leakage-resilient one-way functions. 

Our constructions of leakage-resilient CCA encryption and signatures from tSE 
NIZKs bear significant resemblance to prior constructions. In particular, we observe that 
an alternate construction of tSE NIZK could be achieved by using a CPA-encryption 
scheme instead of a CCA one, and a ss-NIZK argument system 15(3 instead of a stan- 
dard one. In fact, the resulting construction would yield an any- simulation extractable 
(aSE) NIZK argument. This instantiation of aSE NIZKs is implicitly used by PF2I in 
their construction of leakage-resilient signatures. It is also used implicitly in the Naor- 
Yung “double-decryption” paradigm 114915 515 61451 for CCA security, which was later 
used in 114X11 to construct leakage-resilient CCA-encryption. However, as we have seen, 
tSE is sufficient for constructing both leakage-resilient signatures and CCA-encryption 
and thus, the stronger notion of aSE is not needed. Furthermore, given the current state 
of efficient encryption schemes and NIZK, the difference in efficiency between ss-NIZK 
and standard NIZK is significantly greater than the difference between CCA and CPA- 
secure encryptiorfl, thus making tSE superior in both simplicity and efficiency. 

We note that our construction of tSE NIZKs (based on CCA-encryption and stan- 
dard NIZKs) was implicitly used by ITH1 to construct signatures of group elements, 
and by m to construct efficient CCA-encryption with key-dependent message (KDM) 
security from KDM-secure CPA-encryption. Still, the abstraction of tSE has not been 
explicitly defined in prior work despite its apparent usefulness. 

5 Instantiations 

Assumptions. We review several standard hardness assumptions on which we will 
base our constructions. 

Decisional Diffie-Hellman (DDH). Let G be a group of prime order q. Let <?i, <72 *— G 
and r,ri,r2 The decisional Diffie-Hellman (DDH) assumption states that the 

7 Informally, the difference between CCA and CPA-secure encryption is only 2 group elements, 
whereas the size of a ss-NIZK proof is more than twice the size of a standard NIZK proof. 
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following two distributions are computationally indistinguishable: (G , gi , < 72 , Qi 1 , 9 ? 2 ) 
and (G, g u g 2 , g\,g 2 )- 

Let Gi, G 2 , G t be groups of prime order q and let e : Gi x G 2 — » G t be a non- 
degenerate efficiently computable bilinear map. 

Symmetric External Diffie-Hellman (SXDH) 115989161261611 . The symmetric external 
Diffie-Hellman assumption (SXDH) is that the DDH problem is hard in both Gi and 
G 2 . The assumption is clearly invalid for symmetric pairings (when Gi = G 2 ), but is 
believed to hold when there is no efficiently computable mapping between Gi and G 2 . 
A'-Linear H37I60I and DLIN Q. Let G be a group of primer order q and let K > 1 be 
constant. Let go, gi, ■ ■ ■ ,gK G and xo, x 2 , ■ ■ ■ , xk +— The /\ -Linear assump- 
tion states that the following two distributions are computationally indistinguishable: 
(G, g Q , gi , . . . , g K , gT , ■ ■ • , g ™ , 9o °), and ( G > 9o,gi,---, 9 k, gT ,--,9 X ki 9a), with 
X = JT=i x i ■ Note that for K = 1, the if -Linear is the same as DDH, and that it does 
not hold when working with symmetric pairings. In that setting, the 2-Linear assump- 
tion is usually assumed to hold, and is often referred to as the Decisional Linear (DLIN) 
assumption. Throughout this paper we assume the K -Linear assumption holds in both 
Gi and G 2 , which is the case when working with symmetric pairings, and slightly abuse 
notation when K = 1 and assume SXDH holds in that case. 

Our Instantiations. We show efficient instantiations of the leakage-resilient signa- 
ture and CCA-secure encryption constructions described in Section^ For each scheme, 
we give two instantiations based on bilinear maps: one secure under the SXDH as- 
sumption, and a second, secure under the DLIN assumption. The first can be used with 
asymmetric pairings, while the second applies to the case of symmetric pairings. We 
give details of all instantiations in the full version ltT%l but give a high-level idea below. 

Signatures. Recall that to instantiate the signature scheme from Section 0 we need a 
leakage-resilient hard relation R (which we will derive from an SPR relation) and a true- 
simulation extractable (tSE) NIZK argument, which we build from CCA-secure encryp- 
tion and a standard NIZK argument for the relation {({x, r), (y, c, pk, L)) \R{x,y) = 1 
A c = Enc pk{f{x); r)}. We show our choice of instantiations for these components: 

- CCA-Secure Encryption: Under both the SXDH and DLIN assumptions, we use 
efficient encryption schemes in the style of Cramer-Shoup 111416(1 . 

- NIZK Argument: We use the Groth-Sahai proof system m, which can be instan- 
tiated both under SXDH and DLIN. 

- SPR Relation: Previous constructions of leakage-resilient primitives use the SPR 
function g^g^ 2 ■ ■ ■ gn n - However, this function has the problem that the witness 
lies in the exponent. This means that we cannot combine it with an encryption 
scheme for elements in G (unless each witness component is committed bit by bit 
which, among other things, results in proofs growing linearly with the security pa- 
rameter), and unfortunately encryption schemes for messages in Z g cannot be com- 
bined with the Groth-Sahai system. We therefore construct two new SPR relations 
based on pairing-product equations. For our SXDH instantiation, we use the rela- 
tion e(hi,xi) e(/i 2 , X 2 ) ■ ■ ■ e(h„, x n ) = e(y, g), where g is a generator of G 2 . We 
prove that this relation is SPR under the SXDH assumption. In the DLIN case, we 
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use the relation: e{h\,x\) e(h 2,2:2) . . . e(h„, x n ) = e(yi,g ) , xi) e(h2, X2) 

. . . e(H n , x n ) = e(y-2,g), where g is a generator of G. We prove that this relation is 
SPR under the DLIN assumption. To achieve a (1 — e) leakage ratio, we let n (the 
number of witness components) in the SPR relation be inversely proportional to e. 

Theorem 5. Let Gi , Gy be groups of primer order q. For any e > 0, there exists a 
(1 — e)\sk\-leakage resilient signature scheme, secure under the SXDH assumption, 
using signatures consisting of (9/e)(l + uj fog A) / log q) + 24 group elements and 2 
elements in Z, ; . Similarly, for any e > 0, there exists a (1 — e)\sk\-leakage resilient 
signature scheme, secure under the DUN assumption, using signatures consisting of 
(19/e) (2 + u>(log A) / log q) + 70 group elements and 6 elements in Z q . 

CCA-Secure Encryption. Recall that for leakage-resilient encryption, we need leakage- 
resilient CPA-secure encryption, standard CCA-secure encryption and strong tSE 
NIZK, which we can get from combining regular tSE NIZK with a strong one-time 
signature. We build regular tSE NIZK from CCA-secure encryption and regular NIZK. 
We describe our choices for each of these below. 

- LR-CPA-Secure Encryption: We construct a new leakage-resilient CPA-secure en- 
cryption scheme for our purpose in the style of ElGamal (similar to ones used in 
Barm but making it more efficient). The leakage that our new CCA-secure en- 
cryption tolerates is the same as the leakage tolerated by the CPA-secure scheme. 
Informally, we achieve a (1 — e) leakage ratio in the CPA-secure scheme by increas- 
ing the number of generators used in the public key and ciphertext. This number 
will be inversely proportional to e. 

- CCA-Secure Encryption: Under both the SXDH and DLIN assumptions, we use 
efficient encryption schemes in the style of Cramer-Shoup 11141601 . 

- NIZK Argument: We use the Groth-Sahai proof system 1551 . which can be instan- 
tiated both under SXDH and DLIN. 

- One-Time Signature: We observe that any strong one-time signature secure under 
these assumptions can be used. Here, we opt for the scheme of iPTTl . secure un- 
der the Discrete Log assumption (implied by both SDXH and DLIN), because its 
signature size is small, namely 2 elements in Z q . 

Theorem 6. Let Gi , Gy be groups of primer order q. For any e > 0, there exists a 
(1 — e)\sk\-leakage resilient encryption scheme, secure under the SXDH assumption, 
using ciphertexts consisting of(2/e)(2 + A/ log q) + 15 group elements and 2 elements 
in Z q . Similarly, for any e > 0, there exists a (1 — e) \sk\ -leakage resilient encryption 
scheme, secure under the DLIN assumption, using ciphertexts consisting o/(3/e)(3 + 
A/ log q) + 34 group elements and 2 elements in Z q . 

6 Other Applications 

Once we have efficient leakage-flexible signature schemes, we observe that the standard 
signature-based ID scheme, where the verifier asks the prover to sign a random message, 
easily extends to the leakage setting. Moreover, the resulting actively secure ID scheme 
inherits its relative leakage from the corresponding signature scheme, and satisfies the 
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strongest notion of “anytime-leakage” 0, where the leakage can occur even during 
the impersonation attack. Although our method is pretty simple, we notice that the 
other two popular methods of building ID schemes — the use of E -protocols for hard 
relations analyzed in 0 (see first two rows of Tables 0, and the use of CCA-secure 
encryption (where the prover decrypts a random challenge ciphertext) — inherently do 
not allow us to obtain optimal results, even when instantiated with leakage-flexible hard 
relations or CCA-encryption schemes. 

Finally, we obtain two efficient leakage-flexible AKA protocols. First, similarly to 
the case of ID schemes, we can obtain leakage-resilient AKA schemes from any leakage- 
resilient signature scheme, as formally explained in 0 . The idea is to essentially sign 
every flow of a standard Diffie-Hellman-based protocol, but with a leakage-resilient sig- 
nature scheme. We notice, though, that the resulting protocol is not deniable. Namely, 
the transcript of the protocol leaves irrefutable evidence that the protocol took place. 
Motivated by this deficiency, we design another general AKA protocol based on CCA- 
encryption. The details are given in the full version ItTRlL but, intuitively, the parties 
encrypt the flows of the standard Diffie-Hellman-based protocol, effectively proving 
their identities by successfully re-encrypting the appropriate flows. Although we do not 
formalize this, this protocols is “deniable”, because the transcript of the protocol can be 
simulated without the knowledge of parties’ secret keys. To the best of our knowledge, 
this protocol was not suggested and analyzed even in the leakage-free setting, where it 
appears interesting already. Here we actually show that our (new) deniable AKA proto- 
col works even in the presence of leakage. 
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